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1.  Introduction 

Ram  is  an  intensions!  semantic  theory  of  function  and  control  abstractions 
as  computation  primitives.  It  is  a  mathematical  foundation  for  understanding 
and  improving  current  practice  in  symbolic  (Lisp-style)  computation.  The  theory 
provides,  in  a  single  context,  a  variety  of  semantics  ranging  from  structures  and 
rules  for  carrying  out  computations  to  an  interpretation  as  functions  on  the  com¬ 
putation  domain.  Properties  of  powerful  programming  tools  such  as  functions  as 
values,  streams,  aspects  of  object  oriented  programming,  escape  mechanisms,  and 
coroutines  can  be  represented  naturally.  In  addition  a  wide  variety  of  operations 
on  programs  can  be  treated  including  program  transformations  which  introduce 
function  and  control  abstractions,  compiling  morphisms  that  transform  control 
abstractions  into  function  abstractions,  and  operations  that  transform  intensional 
properties  of  programs  into  extensional  properties.  The  theory  goes  beyond  a 
theory  of  functions  computed  by  programs,  providing  tools  for  treating  both  in¬ 
tensional  and  extensional  properties  of  programs.  This  provides  operations  on  pro¬ 
grams  with  meanings  to  transform  as  well  as  meanings  to  preserve.  Applications  of 
this  theory  include  expressing  and  proving  properties  of  particular  programs  and 
of  classes  of  programs  and  studying  mathematical  properties  of  computation  mech¬ 
anisms.  Additional  applications  are  the  design  and  implementation  of  interactive 
computation  systems  and  the  mechanization  of  reasoning  about  computation. 

These  notes  axe  based  on  lectures  given  at  the  Western  Institute  of  Computer 
Science  summer  program,  31  July  -  1  August  1986.  Here  we  focus  on  program¬ 
ing  and  proving  with  function  and  control  abstractions  and  present  a  variety  of 
example  programs,  properties,  and  techniques  for  proving  these  properties. 

1.1.  About  Ram 

In  the  Lisp  community,  people  traditionally  speak  of  vanilla  Lisp  when  refer¬ 
ring  to  the  pure  first-order  fragment  which  has  a  simple  interpretation  in  terms 
of  partial  functions  on  S-expressions.  Following  this  tradition  (and  being  fond  of 
rum-raisin  ice  cream)  we  have  chosen  to  call  our  flavor  of  Lisp  rum,  and  we  use 
Ram  to  refer  to  the  theory  we  have  developed  about  this  flavor.  Rum  flavored 
Lisp  is  very  much  like  the  Scheme  dialect  of  Lisp  [Steele  and  Sussman  1975],  [Rees 
and  Clinger  1986]. 

The  theory  Ram  is  based  on  an  intensional  semantic  theory  of  function  and 
control  abstractions  as  computation  primitives.  An  intensional  semantic  theory  is 
a  semantics  based  on  a  view  of  computation  as  a  process  of  generating  computa¬ 
tion  structures  and  an  interpretation  of  programs  as  descriptions  of  computations. 
Computation  structures  and  rules  for  generating  them  determine  an  abstract  ma¬ 
chine  for  carrying  out  computations,  thus  providing  an  operational  semantics.  The 
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operational  approximation  and  equivalence  relations  induced  by  the  operational 
semantics  provide  a  mathematical  interpretation  of  the  informal  concept  of  “pro¬ 
grams  as  black  boxes” .  Roughly  two  programs  axe  operationally  equivalent  if  they 
can  not  be  distinguished  by  any  computational  context.  The  operational  rela¬ 
tions  are  preserved  by  substitution  and  abstraction  and  the  recursion  operator 
(Y-combinator  analog)  computes  the  least  fixed  point  of  a  functional  with  respect 
to  operational  approximation.  Thus  we  have  also  an  extensional  semantics. 

Intensional  properties  of  programs  can  be  represented  as  properties  of  compu¬ 
tation  structures.  Some  examples  are  the  number  of  multiplications  executed,  the 
number  of  context  switches,  the  maximum  stack  depth  required  in  a  computation, 
and  the  trace  of  a  computation.  Extensional  properties  of  programs  are  properties 
of  the  function”  computed.  They  can  be  expressed  in  terms  of  the  operational 
approximation  and  equivalence  relations.  Some  examples  of  extensional  proper¬ 
ties  are  notions  of  equality  for  streams  and  coroutines  and  characterizations  of 
functionals  implementing  strategies  for  searching  tree-structured  spaces. 

An  abstraction  formalizes  the  notion  of  an  object  being  given  uniformly  in 
terms  of  some  parameter.  Application  of  an  abstraction  instantiates  the  param¬ 
eter  to  the  argument  of  the  application.  Function  and  control  abstractions  are 
mathematically  tractable  computation  primitives  that  allow  one  to  express  easily 
a  wide  variety  of  computation  mechanisms  and  programming  styles  and  to  reason 
naturally  about  programs  that  employ  these  primitives.  Function  abstractions 
describe  the  computation  of  (partial)  functions.  A  function  abstraction  produced 
by  evaluation  of  a  lambda  expression  contains  information  giving  the  interpreta¬ 
tion  of  free  variables  occuring  in  the  expression  in  the  creation  time  environment. 
In  addition  to  ordinary  functions,  function  abstractions  can  be  used  to  represent 
structured  (possibly  infinite)  data  such  as  tuples  and  streams,  to  represent  the 
continuation  of  a  computation,  to  describe  delayed  or  lazy  evaluation,  and  (when 
assignment  abstractions  are  added)  to  represent  objects  in  the  object-oriented  style 
of  computation.  Control  abstractions  represent  contexts  built  up  in  the  process  of 
carrying  out  a  computation.  They  provide  a  means  of  suspending  and  resuming 
computations  and  can  be  used  to  program  non-local  control  mechanisms  such  as 
escaping  and  coroutining. 

These  notes  are  organized  as  follows.  The  second  part  of  this  introduction 
is  an  annotated  list  of  suggestions  for  further  reading.  §2  presents  examples  that 
illustrate  the  use  of  multiple  values  and  function  and  control  abstractions  to  de¬ 
scribe  a  variety  of  of  computation  mechanisms.  It  includes  sample  computations 
and  informal  discussion  of  properties  of  the  example  programs  and  their  computa¬ 
tions.  §3  summarizes  the  basic  mathematical  tools  and  notation  that  will  be  used. 
In  §4  the  intensional  semantic  theory  is  presented,  the  operational  relations  that 
are  the  Semantic  basis  for  expressing  properties  of  programs  axe  defined,  and  key 
are  properties  stated.  In  §5  a  language  for  expressing  properties  of  Thim  programs 
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is  defined,  its  semantics  is  explained,  some  basic  axioms  and  rules  for  proving  as¬ 
sertions  axe  stated,  and  additional  axe  laws  derived  as  examples  and  tools  for  later 
use.  §6  contains  precise  statements  and  proofs  of  the  extensional  properties  of 
programs  discussed  in  §2.  In  §7  methods  for  treating  intensions]  properties  axe  de¬ 
veloped  and  illustrated.  In  §8  we  summarize  what  we  have  done  and  discuss  some 
further  developments  and  extensions  of  the  theory.  The  appendix  (§10)  contains 
proofs  of  theorems  stated  in  §4  and  other  miscellaneous  technical  details. 

1.2.  An  annotated  reading  list 

This  list  is  divided  into  two  parts  -  roughly  practice  and  theory  -  and  each 
list  is  sorted  alphabetically.  The  list  is  included  here,  as  it  also  serves  as  a  mini 
survey  of  concepts  and  results  that  form  the  background  for  Ihim  and  of  related 
work.  Additional  discussion  of  some  of  these  papers  can  be  found  in  [Talcott  1985; 
Chapter  II]. 

1.2.1.  Programming  with  function  and  control  abstractions. 

■  [Abelson  and  Sussman  1985]  Text  for  introductory  programming  course  at  MIT, 

based  on  the  language  Scheme.  Operational  viewpoint  -  programs  axe  viewed 
as  descriptions  of  computation. 

■  [Friedman,  D.  P.  et.al.  1984]  A  basic  text  on  programming  in  Scheme.  Programs 

axe  viewed  as  functions.  There  is  much  emphasis  on  the  use  of  various  forms 
of  abstraction  (function,  control,  textual,  . . . )  in  programming. 

■  [Burge  1971]  Many  examples  of  programming  with  functions  as  arguments  and 

values. 

■  [Burge  1975rec]  A  basic  text  on  writing  recursive  programs  and  using  functions 

as  arguments  and  values. 

•  [Burge  1975str]  Examples  of  programming  with  streams  illustrating  the  use  of 
streams  in  a  variety  of  applications.  Contains  a  veritable  library  of  operations 
on  streams. 

■  [Burstall  1968]  Using  functionals  and  the  Landin  J  (for  jump)  operator  to  pro¬ 

gram  search  strategies.  (See  entry  for  Landin  below.) 

■  [Conway  1963]  Origin  of  the  notion  of  coroutine  as  a  way  of  organizing  a  large 

compiler  into  small  independent  processes. 

■  [Henderson  1980]  Treats  many  aspects  of  functional  programming  including  use 

of  higher  order  functions,  abstract  machines,  implementation  issues,  and  many 
excellent  programming  examples. 
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•  [Kahn  and  McQueen  1977]  A  language  for  defining  dynamically  configurable  net¬ 

works  of  processes.  An  important  subset  of  the  language  can  be  interpreted 
sequentially  (as  coroutines)  or  as  synchronized  parallel  processes  without  af¬ 
fecting  the  behavior.  The  paper  includes  example  programs  and  proofs  of 
correctness. 

1.2.2.  Semantics 

•  [Barendregt  1981]  More  than  you  want  to  know  about  the  lambda  calculus,  but 

an  excellent  place  to  look  for  definitions,  concepts,  statements  and  proofs  of 
theorems,  etc. 

•  [Felleisen  and  Friedman  1986,7;  Felleisen  1987]  Extensions  of  Plotkin’s  call-by¬ 

value  lambda  calculus  (see  Plotkin  entry)  with  operations  for  capturing  and 
aborting  the  current  computation  context  (control  calculus  [FELLEISEN  AND 
FRIEDMAN  1986])  and  with  labeled  values,  assignment  and  dereferencing  op¬ 
erations  (assignment  calculus  [FELLEISEN  AND  FRIEDMAN  1987]).  The 
calculi  are  derived  from  operational  semantics  given  by  abstract  machines  in 
the  spirit  of  Landin  (see  Landin  entry).  These  calculi  have  Church- Rosser  the¬ 
orems,  Standardization  theorems  and  can  be  used  as  the  basis  for  reasoning 
about  programs  that  use  function  and  control  abstractions  and  assignment. 

•  [Landin  1964-6]  An  operational  semantics  for  AE  (the  language  of  the  lambda 

calculus)  and  for  IAE  (AE  plus  non-local  control  and  assignment  constructs) 
given  in  terms  of  the  SECD  machine  (an  abstract  machine  for  evaluating  ex¬ 
pressions.)  In  Landin[1965],  this  semantics  is  used  to  provide  a  semantics 
for  Algol  60  expressions  by  translation  to  IAE  expressions.  In  Landin[1966], 
Iswim  (If  you  See  What  I  Mean  —  IAE  plus  “syntactic  sugar”  defining  ad¬ 
ditional  important  computation  primitives)  is  proposed  as  the  basis  of  an 
approach  to  language  design.  Iswim  is  a  framework  providing  mechanisms  for 
naming  things  (binding)  and  for  defining  functional  relations,  thus  reducing 
language  design  to  a  matter  of  choosing  primitive  data  and  operations  and 
choosing  printed  and  physical  representations. 

■  [Plotkin  19/5]  Defines  a  call-by- value  lambda  calculus  with  constants  and  shows 

that  the  equational  semantics  given  by  lambda-v  reduction  and  lambda-v 
equivalence  is  compatible  with  the  operational  semantics  (evaluation  relation) 
given  by  Landin’s  SECD  machine.  The  notion  of  operational  (black-box) 
equivalence  is  defined  in  terms  of  the  evaluation  relation  and  shown  to  properly 
contain  lambda-v  equivalence. 

■  [Schmidt  1986]  A  general  text  on  denotational  semantics. 

■  [Scott  1976]  Describes,  in  great  detail,  the  graph  model  of  the  lambda  calculus 

(discovered  independently  by  Scott  and  Plotkin).  The  graph  model  is  an 
example  of  a  general  method  for  constructing  mathematical  models  of  the 
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lambda  calculus.  Expressions  in  the  language  of  the  lambda  calculus  are 
interpreted  els  “graphs”  of  continuous  functions  on  a  domain  with  a  complete 
partial  order.  Equations  provable  in  classical  lambda  calculus  and  many  more 
equations  hold  in  this  model.  The  Y  combinator  computes  the  least-fixed- 
point  operator  on  graphs  of  functions.  Domain  theory  is  developed  within  the 
model  using  lambda- definable  retractions  to  represent  domains  and  the  fixed 
point  operator  to  solve  domain  equations. 

« [Scott  and  Strachey  1971]  Original  presentation  of  basic  methods  of  Scott-Strachey 
semantics  including  clearly  worked  out  examples. 
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2.  Programming  with  function  and  control  abstractions. 


In  this  section  we  give  examples  of  programs  that  use  function  and  control 
abstractions  and  multiple  values  to  describe  a  variety  of  computation  tools  includ¬ 
ing  program  schemes,  object  behaviors,  escape  and  coroutine  mechanisms,  and 
infinite  streams.  We  begin  with  an  informal  summary  of  notation  and  concepts 
used  in  the  examples.  This  together  with  the  discussion  of  the  examples  is  (hope¬ 
fully  )  sufficient  to  make  the  main  points  clear.  The  precise  syntax  and  semantics 
is  given  in  §4  and  many  of  the  properties  stated  informally  here  will  be  stated 
more  precisely  and  proved  in  later  sections. 


The  computation  domain  contains  data  and  data  operations  from  the  under  - 
lying  data  structure,  pfns,  and  continuations.  Functions  computed  axe  “variary” 
-  their  domains  and  ranges  are  finite  sequences  of  elements  from  the  computation 
domain,  o  is  the  empty  sequence  and  [uo5  ^i]  is  the  concatenation  of  the  sequences 
vq  and  tq .  Elements  of  the  computation  domain  sire  treated  as  singleton  sequences. 


The  underlying  data  structure  for  our  examples  is  an  S-expression  structure. 
The  domain  is  closed  under  pairing  and  contains  integers,  strings,  and  a  special 
constant  Nil  representing  the  empty  list.  The  data  operations  include  (using  Lisp 
names)  pairing  and  projections  (Cons,  Car,  Cdr);  tests  for  atoms  (non-pairs)  and 
zero  (Atom,  Zerop);  successor,  addition,  and  multiplication  (Addl,  +,  *);  and  the 
string  operations  (StrMk,  StrUn).  For  S-expressions  a  and  b  we  write  a  •  b  for  the 
value  of  Cons(a,  6).  Lists  are  generated  as  usual  from  the  empty  list  by  pairing.  We 
write  <ai, . . . ,  an>  for  ai  •(...(•  an  •  Nil) . . .).  StrMk  takes  a  sequence  of  integers 
(character  codes)  and  returns  the  corresponding  string.  StrUn  takes  a  string  and 
returns  the  corresponding  sequence  of  character  codes.  #a  is  the  character  code 
for  the  letter  ‘a’  and  we  write  "abc"  for  the  value  of  StrMk[#a,  #b,#c]. 

Pfns  are  functional  abstractions  that  can  be  thought  of  as  partial  functions 
containing  information  describing  how  the  value  of  the  function  is  to  be  computed. 
Pfns  correspond  to  Landin’s  closures  [Landin  1964]  -  the  value  of  a  lambda  abstrac¬ 
tion  is  a  pfn  containing  the  lambda  abstraction  and  the  values  of  its  free  variables 
in  the  evaluation  environment.  Continuations  are  control  abstractions  that  repre¬ 
sent  computation  contexts  built  up  in  the  process  of  carrying  out  computations. 
A  computation  context  contains  the  information  prescribing  how  the  computation 
is  to  continue  when  the  current  subcomputation  is  complete.  As  objects  of  the 
computation  domain,  pfns  provide  a  means  of  passing  procedures  as  parameters, 
of  encapsulating  an  expression  for  later  evaluation,  and  of  constructing  special¬ 
ized  versions  a  procedure  by  instantiating  some  of  its  parameters.  Continuations 
provide  a  means  of  remembering  and  switching  contexts,  and  of  suspending  and 
resuming  computations. 
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We  often  use  systems  of  recursion  equations  to  define  pfns.  These  equations 
are  written  using  the  sign  «—  and  specify  that  the  equation  should  be  used  to 
replace  applications  of  the  defined  pfn  by  the  body  suitably  instantiated. 

Extensional  properties  of  programs  (properties  of  programs  viewed  as  black 
boxes)  are  expressed  using  the  operational  equivalence  relation  (=).  Two  expres¬ 
sions  or  values  are  operationally  equivalent  if  they  can  not  be  distinguished  by  any 
computational  context.  This  means  that  an  expression  or  value  can  be  replaced 
by  an  equivalent  one  in  any  computational  context  without  changing  the  mean¬ 
ing  of  the  whole  expression.  Equivalent  expressions  either  both  escape,  are  both 
undefined  or  are  both  defined  with  equivalent  values.  Operational  equivalence  is 
preserved  by  substitution  and  abstraction  and  it  satisfies  the  usual  laws  for  con¬ 
ditional  expressions  (if)  and  the  equational  laws  of  the  underlying  data  structure. 
The  stepwise  computation  rules  can  be  formulated  as  laws  of  operational  equiva¬ 
lence.  Pfns  defined  by  recursion  equations  also  satisfy  the  equations  obtained  by 
replacing  «—  by  =.  We  will  see  many  other  interesting  properties  of  operational 
equivalence  as  we  proceed.  If  U  is  a  set  of  sequences  from  the  computation  domain 
and  u  is  a  member  of  U  we  say  that  u  has  sort  U .  We  use  the  term  sort  rather 
than  type  since  the  sorts  may  be  organized  into  many  different  type  structures 
and  we  don’t  wish  to  specify  a  particular  one. 

One  final  notational  remark.  With  sequences  and  lambda  abstraction  we 
have  two  forms  of  expressing  multi-ary  functions  and  function  application:  us¬ 
ing  sequences  as  in  (A[a,  6].<^)[a,  6]  =  <p]  and  curried  lambda  application  as  in 
(\u.\v.ip)(u,v)  =  </?.  In  the  former  a,  b  range  over  are  singletons  and  in  the  latter 
u,v  range  over  arbitrary  sequences.  Note  that  unary  application  of  a  function  to 
a  sequence  f[x\ and  curried  application  f(x i , . . . , xn)  are  different.  For 
example  (A[r,y].9?)[[a,  6],  c]  binds  x  to  a  and  y  to  [6,  c]  while  (A(z,y).<^)([a,  6],c) 
binds  x  to  [a,  b]  and  y  to  b. 

2.1.  Multiple  values  and  functionals. 

To  illustrate  the  expressive  power  of  multiple  arguments  and  values  we  define 
the  string  concatenation  operation  StrConc  directly  in  terms  of  the  data  operations 
StrUn  and  StrMk.  The  trick  is  to  use  sequence  concatenation  to  do  the  main  work. 

>  StrConc[r,y]  <—  StrMk[StrUn(x),  StrUn(y)] 

For  example 

StrConc["abc",  "def "]  £  "abcdef". 

■(Properties  of  StrConc)  StrConc  maps  pairs  of  strings  to  strings,  is  associative 
and  has  the  empty  string  as  left  and  right  identity. 
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Now  we  look  at  an  example  where  higher  order  functions  can  be  thought  of 
as  program  schemes  (describing  classes  of  programs).  Properties  of  such  func¬ 
tions  can  serve  as  proof  schemes  for  proving  properties  of  particular  instances. 
Sit(/,  b,x)  iterates  a  binary  function  f  along  a  sequence  x  using  b  as  the  initial 
second  argument. 

>  Sit(/,  b,  x)  *-  if  (a:,  /(fst(x),  Sit(/,  b,  rst(x))),  b) 

where  if  tests  for  the  empty  sequence  and  fst,  rst  compute  the  first  and  rest  of  a 
sequence. 

■(The  sort  of  Sit)  Let  A,  B  be  subsets  of  the  computation  domain,  let  /  compute 
a  total  function  from  A  x  B  to  B  and  let  b  be  an  element  of  B.  Then  Ax.Sit(/,  b ,  x) 
computes  a  total  function  from  A*  (the  set  of  sequences  from  A)  to  B. 

A  sequence  of  S-expressions  is  converted  to  a  list  by  mapping  the  pairing 
function  along  that  sequence  beginning  with  the  empty  list.  Thus  we  can  define 
ListMk  by 

>  ListMk(x)  «—  Sit(Ax,  y.Cons[x,y],  l\lil,x) 

ListMk  formalizes  the  conventional  list  notation.  For  example  we  have 

ListMk[0, 1,2]  =  <0  1  2> 

ListMkfao, . . . ,  a*]  =  <ao  . . .  ajt> 

■(The  sort  of  ListMk)  From  the  sort  of  Sit  it  is  easy  to  see  that  ListMk  computes 
a  total  function  from  sequences  of  S-expressions  to  lists. 

2.2.  Object  behaviors. 

Objects  in  the  Small-talk  sense  axe  active  entities  with  internal  state  that  can 
receive  and  reply  to  some  collection  of  messages.  The  internal  state  of  an  object 
can  only  be  changed  by  the  object.  This  is  a  form  of  abstraction  (as  in  abstract 
data  type)  that  insures  that  the  representation  of  internal  state  in  not  visible.  The 
observable  behavior  of  an  object  is  its  set  of  possible  message- reply  sequences.  The 
abstraction  criteria  means  that  the  representation  of  an  objects  internal  state  can 
be  freely  changed  without  changing  the  observable  behavior  of  the  object. 

Although  we  can  not  model  the  sharing  aspects  for  objects  whose  internal  state 
may  change,  we  can  represent  an  objects  behavior  as  a  pfn  which  when  applied  to 
a  message  returns  a  new  pfn  describing  the  behavior  of  the  object  after  receiving 
that  message,  together  with  its  reply  to  that  message.  The  behavior  represented 
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by  such  a  pfn  is  the  set  of  possible  message- reply  sequences  (ignoring  the  behavior 
pfn  part  of  each  reply,  which  is  the  functional  representation  of  internal  state). 

As  an  example  we  consider  the  simplest  non-trivial  behavior  —  that  of  a 
(memory)  cell.  A  cells  internal  state  is  its  contents.  A  cell  with  contents  a  accepts 
get  and  set  messages.  In  the  case  of  a  get  message,  the  cell  replys  with  a  and  re¬ 
mains  a  cell  with  contents  a.  In  the  case  of  a  set  message,  with  contents  component 
b  the  cell  becomes  a  cell  with  contents  b  (the  reply  if  any  is  just  acknowledgement). 
For  simplicity  we  assume  any  other  messages  are  no-ops  —  the  internal  state  is 
not  changed  and  no  reply  is  made.  We  assume  there  are  tests  Getmsg  and  Setmsg 
to  distinguish  message  types,  and  in  the  case  of  set  messages  a  selector  Contents 
that  extracts  the  contents  component  of  the  message.  The  pfn  Cell(a)  is  defined 

by 


t>  Cell(a)  <—  Am.if(Getmsg(m),  [Cell(a),  a], 

if(Setmsg(m),  Cell(Contents(m)), 

Cell(a))) 

■(Specifying  cell  behavior)  The  pfn  Cell(a)  describes  the  behavior  of  a  cell 
with  contents  a. 

2.3.  Computing  number  tree  products. 

The  theme  for  this  set  of  examples  is  the  problem  of  computing  the  product  of 
numbers  in  a  number  tree.  A  number  tree  x  is  either  a  number,  or  a  pair  of  number 
trees  x0  *  x\.  The  tree  product  is  the  product  of  the  numbers  in  a  number  tree. 
The  number  of  cells  in  a  number  tree  is  the  number  of  conses  used  to  construct 
it  and  the  number  of  nodes  is  the  number  of  cells  plus  the  number  of  leaves.  For 
example,  2  and  (3  •  2)  •  2  are  number  trees,  the  tree  product  of  (3  •  2)  •  2  is  12, 
the  number  of  cells  in  (3  •  2)  •  2  is  2,  and  the  number  of  nodes  in  (3  ♦  2)  •  2  is  5. 

We  will  consider  three  pfns  that  compute  the  tree  product  function.  Tp 
computes  the  product  by  the  obvious  recursion  on  the  number  tree  structure. 
Tpc  and  Tps  compute  the  product  as  one  would  in  a  hand  computation  -  by 
abandoning  the  normal  processing  of  a  number  tree  when  a  zero  is  encountered  and 
immediately  returning  the  value  zero  to  the  caller.  Tpc  uses  function  abstraction 
and  Tps  uses  control  abstraction  to  implement  the  “immediately  return  zero  to 
the  caller”  strategy. 
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2.3.1.  Simple  recursion  on  number  trees. 

Tp  is  defined  by 

>  Tp(x)  <—  if(Atom(x),x,Tp(Car(x))  *  Tp(Cdr(x))). 

This  equation  together  with  laws  for  operational  equivalence  and  facts  about  data 
operations  can  be  used  to  compute  the  value  of  Tp(x)  for  any  number  tree  x  in 
the  usual  way.  As  an  example  we  compute  the  value  of  Tp((3  •  2)  •  0). 

Tp((3  •  2) .  0) 

-  if(Atom((3  •  2) .  0),(3 . 2) .  0,Tp(Car((3  •  2) .  0))*Tp(Cdr((3 . 2) .  0))) 

;;  using  the  definition  of  Tp 

“  TP(Car((3  •  2)  •  0))  *  T p(Cdr((3  •  2) .  0))  ;;  Atom((3  •  2) .  0)  is  false 

-  Tp(3  •  2)  *  Tp(Cdr((3 . 2)  •  0))  ;;  Car((3  •  2)  •  0)  a  3  •  2 

=  (3*2)*  Tp(Cdr((3  •  2)  •  0))  ;;  recursively  computing  T p(3  •  2)  a  3  *  2 

=  6*Tp(Cdr((3  •  2)  •  0))  ;;  3*22(6 

=  6  *  T p(0)  ;;  Cdr((3  •  2)  •  0)  a  0 

-  6  *  0  ;;  computing  T p(0)  •  0))  a  0 

=  0  ;;  6  *  0  a  0 

■(Properties  of  the  computation  of  Tp)  In  the  above  computation  Car  and 
Cdr  are  each  applied  twice  and  *  is  applied  twice.  More  generally,  we  can  show 
that  for  any  number  tree  x  in  the  computation  of  the  value  of  T p(x)  the  number  of 
applications  of  Car  and  Cdr  is  the  number  of  non-root  nodes  in  x  and  the  number 
of  applications  of  *  is  the  number  of  cells  in  x. 

2.3.2.  Improving  by  pruning  unnecessary  computation. 

If  zero  occurs  in  a  number  tree  then  the  product  will  be  zero.  Thus  we  can 
make  the  following  requirement  for  a  pfn  computing  the  tree  product: 

(+)  a  zero  **  encountered,  in  traversing  the  number  tree,  terminate 

traversal  and  return  zero  without  further  computation. 

One  wa\  to  define  a  pfn  meeting  this  specification  is  to  define  an  auxiliary  pfn 
which  has  an  additional  parameter  used  to  store  context  information.  The  key  is 
to  insure  that  as  each  node  of  the  number  tree  is  visited  the  initial  calling  context 
and  the  current  number  tree  context  (what  remains  to  be  done  in  processing  the 
number  tree)  are  both  available.  Then  computation  can  continue  normally  or 
abort  processing  and  return  a  value  directly  to  the  calling  context. 
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2.3.3.  Continuation  passing  computation  of  the  tree  product. 

T pc  uses  an  auxiliary  pfn  Tc  that  describes  a  continuation  passing  style  com¬ 
putation  ([Reynolds  1972],  [Steele  and  Sussman  1975]).  Tc  expects  two  arguments 
-  a  number  tree  and  a  continuation  pfn.  The  continuation  pfn  represents  the  cur¬ 
rent  number  tree  context.  A  key  feature  of  continuation  passing  style  computation 
is  that  no  computation  context  is  built  up.  The  current  computation  context  is  the 
calling  context,  and  simply  returning  a  value  from  a  subcomputation  returns  it  to 
the  calling  context.  To  continue  the  computation  normally,  the  value  is  returned 
to  the  continuation  pfn  (i.e.  the  continuation  pfn  is  applied  to  the  returned  value). 
Tpc  and  Tc  are  defined  by 

>  Tpc(x)  «—  Tc(x,  I) 

>  Tc(x,/)  ♦-  if(Atom(x), 

if(Zerop(x),0,/(x)), 

Tc(Car(x),Ta(x,  /))) 

»  Ta(x,  /)  -  Ay.Tc(Cdr(x),Td(y,/)) 

>  Td(y5/)  <-  A z.f(y*z) 

Tpc  computes  the  tree  product  by  calling  Tc  with  the  identity  pfn,  I  =  A z.z,  as 
the  initial  continuation  pfn.  For  number  trees  x  and  continuation  functions  /, 
we  can  analyze  the  computation  of  Tc(x,/)  as  follows.  In  the  case  x  is  zero, 
zero  is  returned  and  the  computation  is  complete.  In  the  case  x  is  a  non-zero 
atom,  computation  proceeds  by  applying  /  to  x  to  carry  out  the  remainder  of  the 
computation.  In  the  case  x  is  a  non-atom,  the  left  subtree  Car(x)  is  processed 
with  continuation  Ta(x,  /).  Ta(x,  /)  is  the  pfn  constructed  by  closing  the  lambda 
expression  Ay.Tc(Cdr(x),  Td(y, /))  in  the  environment  determined  by  the  values 
of  x  and  /.  If  a  zero  is  encountered  in  Car(x)  then  zero  will  be  returned  as  the 
value.  If  no  zeros  are  encountered  in  Car(x),  the  value  ma  of  Tp(Car(x))  will  be 
returned  to  Ta(x,/).  Computation  of  Ta(x,/)(ma)  proceeds  by  processing  the 
right  subtree  Cdr(x)  with  continuation  pfn  Td(ma,/).  Td(ma,/)  is  the  closure  of 
A*./(y  *  z)  in  an  environment  that  assigns  the  value  ma  to  the  symbol  y  and  the 
value  of  /  to  /.  If  a  zero  is  encountered  in  Cdr(x)  then  zero  will  be  returned  as  the 
value.  If  no  zeros  are  encountered  in  Cdr(x),  the  value  raj  of  Tp(Cdr(x))  will  be 
returned  to  Td(ma,/).  Computation  of  Td (ma,/)(m<i)  proceeds  by  multiplying 
ma  and  and  returning  the  result  to  /.  As  an  example  we  compute  the  value 
of  T pc((3  •  2)  •  0). 


Tpc((3  •  2)  •  0)  =  Tc((3  •  2)  •  0.1) 
—  Tc(3  •  2,Ta((3  •  2)  •  0,1)) 


;;  definition  Tpc 
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;;  definition  Tc,  Atom((3  •  2)  •  0)  is  false,  Car((3  •  2)  •  0)  S  3  •  2 
—  Tc(3,Ta(3  •  2,Ta((3  •  2)  •  0, 1))) 

;;  definition  T c,  Atom(3  •  2)  is  false,  Car(3  *2)^3 
—  Ta(3  •  2,Ta((3  •  2)  •  0,  l))(3) 

;;  definition  Tc,  Atom(3)  is  true,  Zerop(3)  is  false 
=  Tc(2,  Td(3,  Ta((3  •  2)  •  0, 1)))  ;;  definition  Ta,  Cdr(3  •  2)  2 

—  Td(3,Ta((3  •  2)  •  0,  l))(2) 

;;  definition  Tc,  Atom(2)  is  true,  Zerop(2)  is  false 
—  Ta((3  •  2)  •  0,  l))(6)  ;;  definition  Td,  3  *  2  Si  6 

—  Tc(0,Td(6, 1))  ;;  definition  Ta,  Cdr((3  ♦  2)  •  0)  Si  0 

=  0  ;;  definition  Tc,  Atom(0)  is  true,  Zerop(0)  is  true 

■(The  functions  computed  by  Tc  and  Tpc)  The  function  computed  by  Tc  is 
characterized  by  the  following  equation 

(Tc-TP)  Tc(x,/)  £  if(lnz(x),0,/(Tp(x))) 

where  x  ranges  over  number  trees  and  lnz(x)  is  true  iff  zero  occurs  in  x.  (Tc.Tp) 
can  be  proved  by  number  tree  induction  using  the  informal  analysis  of  Tc  given 

above.  From  (Tc.Tp)  and  properties  of  the  identity  pfn  it  is  easy  to  see  that  Tpc 

computes  the  tree  product  function. 

(TPC-TP)  Tpc(x)  =  Tp(x) 

■(Properties  of  the  computation  of  Tpc)  In  the  above  computation  of  the 
value  of  Tpc((3  •  2)  •  0),  Car  and  Cdr  axe  each  applied  twice  and  *  is  applied 
once.  More  generally,  we  can  show  that  for  any  number  tree  x,  in  the  computation 
of  the  value  of  Tpc(x)  the  number  of  applications  of  Car  and  Cdr  is  number  of 
nodes  before  the  leftmost  zero  in  the  depthfirst  traversal  of  x  and  the  number  of 
applications  of  *  is  the  number  of  cells  in  x  to  the  left  of  the  leftmost  zero. 

2.3.4.  Pruning  by  context  noting  and  switching. 

The  definition  of  Tps  uses  context  noting  to  remember  the  calling  context  and 
context  switching  to  return  a  value  to  the  calling  context.  To  understand  context 
noting  and  switching  in  general,  we  can  think  of  a  context  as  an  expression  with  a 
hole  in  it.  To  evaluate  an  expression  we  find  the  current  subexpression  and  process 
t  at,  treating  the  remainder  of  the  expression  as  the  current  context.  For  example 
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in  Tp(Car(x))  *  Tp(Cdr(x))  the  current  subexpression  is  Car(x)  and  the  current 
context  is  Tp({. . .})  *  Tp(Cdr(x)).  Computation  proceeds  by  replacing  Car(x)  by 
its  value  say  x„.  The  current  subexpression  then  becomes  Tp(x„)  and  the  current 
context  becomes  {. . .}  *T p(Cdr(x)).  If  the  current  subexpression  is  note(c)v?  then  <p 
is  evaluated  in  the  current  context  with  c  replaced  by  the  continuation  representing 
that  context.  If  the  current  subexpression  is  the  application  of  a  continuation  to  a 
value  we  place  the  value  in  the  hole  of  the  context  represented  by  the  continuation 
and  evaluate  the  resulting  expression  (thus  switching  contexts  and  discarding  the 
previous  current  context). 

Tps  notes  its  calling  context  and  applies  the  auxiliary  pfn  Ts  to  its  number 
tree  argument  and  the  noted  context.  Ts  computes  the  product  in  essentially  the 
same  manner  that  T p  does.  Its  additional  argument  is  a  continuation  representing 
the  calling  context.  The  current  computation  context  is  the  current  number  tree 
context.  If  a  zero  is  encountered  the  context  parameter  is  applied  to  zero  to  return 
zero  directly  to  the  calling  context.  Tps  and  Ts  are  defined  by 

>  Tps(x)  «—  note(c)Ts(x,c) 

>  Ts(x,c)  <—  if(Atom(x), 

if(Zerop(x),  c(0),  x), 

Ts(Car(x),c)*Ts(Cdr(x),c))  • 

Three  properties  of  context  noting  and  switching  Eire  needed  compute  the  value  of 
Tps(x): 

■  (note.abs)  If  two  expressions  <p0,  p>\  are  equivalent  when  the  variable  c  ranges  over 

continuations  then  the  their  note  abstractions  with  respect  to  c  axe  equivalent. 

■  (note.id)  If  the  note  variable  c  does  not  occur  free  in  an  expression  ip  then 

note(c)c(y>)  £  <p- 

■  (escape)  If  the  current  subexpression  is  the  application  of  a  continuation  then  we 

can  discard  the  current  context  -  replace  the  expression  being  evaluated  by 
the  current  subexpression. 

As  an  example  we  compute  the  value  of  Tps((3  •  2)  •  0).  (note.abs)  is  used 
implicitly  -  working  inside  a  note  expression  we  may  assume  the  note  variable 
ranges  over  continuations  and  we  may  replace  the  note  body  by  an  equivalent 
expression. 

Tps((3  •  2)  •  0)  =  note(c)Ts((3  •  2)  •  0,c)  ;;  definition  Tps 

=  note(c)(Ts(3  .  2,  c)  *  Ts(Cdr((3  •  2)  .  0),c)) 

;;  definition  Ts,  Atom((3  •  2)  •  0)  is  false,  Car((3  •  2)  •  0)  Ss  3  •  2 
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=  note(c)(6  *  Ts(Cdr((3  ■  2) ■  0),  c)) 

;;  computing  Ts(3  •  2,  c)  S'  6  as  for  Tp 

—  note(c)(6  *  c(0))  ;;  computing  Ts(Cdr((3  •  2)  •  0),  c)  S'  c(0) 

—  note(c)(c(0))  ;;  by  (escape) 

=  0  ;;  by  (note.id) 

■(The  functions  computed  by  Ts  and  Tps)  The  function  computed  by  Ts  is 
characterized  by  the  following  equation 

(Ts.Tp)  Ts (r,c)  S'  if(lnz(x),c(0),  Tp(x)) 

where  x  ranges  over  number  trees  and  c  ranges  over  continuations.  From  this 
equation  and  properties  of  noting  and  switching  it  follows  that  Tps  computes  the 
tree  product  function. 

(Tps.Tp)  Tps(x)  S' Tp(x) 

As  an  introduction  to  proving  properties  of  noting  and  switching  we  give  a  proof 
of  (Tps.Tp).  The  proof  uses  a  simple  equation  (Tp.lnz)  expressing  the  fact  that 
the  tree  product  of  a  number  tree  x  containing  a  zero  is  zero. 

(T P-Inz)  T p(x)  S'  if(lnz(x), 0,  Tp(x)) 

We  also  need  a  further  property  of  noting  (note.if)  that  allows  us  to  move  a  note 
inside  an  if  when  the  test  does  not  involve  the  note  variable. 

■  (note.if)  If  the  note  variable  c  does  not  occur  free  in  the  expression  <p0  then 
note(c)if(<r50,v?i5  92))  =  if  (90,  note(c)</?i,  note(c)<^2)- 

Proof  (Tps.Tp): 

T ps(x)  S'  note(c)Ts(x,  c)  ;;  dfn  Tps 

S'  note(c)if(lnz(x), c(0), T p(x))  ;;  (Ts.Tp) 

=  if(lnz(x),  note(c)c(0),  note(c)T p(x))  ;;  (note.if) 

=  if(lnz(x), 0, Tp(x))  ;;  (note.triv) 

—  Tp(x)  ;;  (Tp.lnz) 


Tps.Tp 
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Notes 

•  Even  though  T  ps  uses  context  noting  and  switching  in  its  computations  the 
expression  Tps(x)  has  a  value  independent  of  context. 

•  Computation  of  T ps  is  “isomorphic”  to  computation  of  T pc.  That  is,  there  is 
an  essentially  one-one  correspondence  between  steps  in  the  computation  of  T pc(x) 
and  T ps(x).  In  particular,  the  number  of  applications  of  any  data  operation  is  the 
same  in  both  cases.  The  difference  is  that  in  the  Tps  case  the  interpreter  does 
the  work  of  keeping  track  of  the  computation  context  while  in  the  Tpc  case  the 
programmer  did  this  work. 

•  The  definitions  of  Tc  and  T  s  were  obtained  by  applying  program  transform  a  - 
tions  to  (Tc.Tp)  and  (Ts.Tp)  viewed  as  defining  equations.  The  transformations 
use  standard  transformation  rules  (see  [Scherlis  1981])  augmented  by  rules  for 
introducing  and  eliminating  abstraction  and  for  manipulating  continuation  appli¬ 
cation  expressions.  The  transformation  steps  also  constitute  a  proof  that  initial 
and  final  equations  define  the  same  function. 

Endnotes 

2.4.  Streams  as  infinite  sequences. 

The  idea  of  streams  was  introduced  in  [Landin  1965]  to  represent  finite  se¬ 
quences  whose  elements  are  computed  as  they  are  needed  rather  than  being  com¬ 
puted  in  advance.  This  was  needed  to  interpret  certain  iteration  constructs  of 
Algol  60.  More  generally,  a  stream  is  an  object  which  when  queried  returns  its 
first  element  together  with  an  object  computing  the  rest  of  the  stream  together. 
Thus  we  can  think  of  streams  as  (possibly  infinite)  sequences  whose  elements  can 
only  be  accessed  by  removing  them  from  the  sequence  one  at  a  time.  In  Rum 
streams  are  represented  by  pfns  and  are  characterized  by  the  sequences  they  gen¬ 
erate.  (We  consider  only  infinite  streams  here,  thus  eliminating  the  need  to  deal 
with  the  end-of-stream  case.)  Note  that  streams  axe  a  special  case  of  object  be¬ 
haviors  where  the  only  message  is  the  ‘next  element’  message. 

As  an  example,  we  define  the  stream  Sieve  that  generates  the  sequence  of  prime 
numbers  in  increasing  order.  The  definition  is  based  on  the  algorithm  known  as 
sieve  of  Eratosthenes. 

>  Sieve(mt)  <-  Sift(lnts(2)) 

>  lnts(n)(mt)  [lnts(n  +  1),  n] 

>  Filter(p,m)(mt)  «-  Iet{[n,  in]  m(mt)} 

if(Divp(p,  n),  Filter (p,  m)(mt),  [Filter(p,  in),  n]) 

>  Sift(m)(mt)  let{[m,p]-em(mt)}[Sift(Filter(p,m)),p] 
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where  for  numbers  p,  n  the  expression  Divp(p,  n)  is  true  iffp  divides  n.  To  see  how 
Sieve  works  we  compute  the  first  few  elements. 

(1)  Sieve(mt)  ^  Sift(lnts(2))(mt)  3  [Sift(Filter(2,  lnts(3))),  2] 

;;  using  the  definition  of  Sieve  and  lnts(2)(mt)  2  [lnts(3),2] 

(2)  Sift(Filter(2,  lnts(3)))(mt)  S  [Sift(Filter(3,  Filter(2,  lnts(4)))),  3] 

;;  since  Filter(2,  lnts(3))(mt)  Si  [Filter(2,lnts(4)),3] 

(3)  Sift(Filter(3,  Filter(2,  lnts(4))))(mt)  3  [Sift(Filter(5,  Filter(3,  Filter(2,  lnts(6))))),  5] 

;;  using  Filter(2,lnts(4))(mt)  Si  [Filter(2,  lnts(6)),5]  and 
;;  Filter(3,  Filter(2,  ints(4)))(mt)  St  [Filter(3,  Filter(2,  lnts(5))),5] 

■(Properties  of  the  sieving  pfns)  Let  n,p  be  numbers  and  in  be  a  stream 
generating  a  sequence  of  numbers.  Then 

■  (i)  lnts(n)  generates  the  the  sequence  of  numbers  greater  than  n. 

■(")  Filter(p,m)  is  a  stream  generating  the  sequence  obtained  by  removing  all 
multiples  of  p  from  the  sequence  generated  by  in. 

•  (iii)  Sift(m)  is  a  stream  whose  first  element  p  is  the  first  element  of  in  and  whose 
remainder  is  the  stream  obtained  by  filtering  p  from  in  and  sifting  the  result. 

From  this  and  a  little  number  theory  we  see  that  Sieve  is  indeed  a  stream 
generating  the  sequence  of  prime  numbers  in  increasing  order  as  claimed. 

Note.  The  Sieve  example  is  derived  from  a  description  in  terms  of  networks 
of  processes  [Kahn,  G.  and  D.  B.  MacQueen  1977]  which  can  be  interpreted  as 
coroutines  or  as  parallel  processes.  It  can  also  be  represented  in  Ihim  as  a  coroutine 
that  is,  in  a  strong  sense,  equivalent  to  the  stream  version.  Another  good  source  of 
stream  examples  is  [Abelson  and  Sussman  1985  (3.4)].  Here  streams  are  thought 
of  as  lazy  lists  and  represented  as  pairs  whose  first  element  is  the  next  element  of 
the  stream  and  whose  second  element  is  function  generating  the  remainder  of  the 
stream.  Endnote. 

2.5.  Using  coroutines  to  transform  sequences. 

A  system  of  coroutines  is  a  set  of  programs  that  interact  by  resuming  one 
another  rather  than  by  the  usual  function  call/return  mechanism.  A  given  corou¬ 
tine  when  resumed  will  continue  computation  where  it  last  left  off,  carry  out  the 
next  portion  of  its  computation,  and  then  resume  some  other  coroutine.  Typically 
information  is  passed  between  coroutines  by  updating  shared  data  structures  and 
each  coroutine  has  internal  state  that  keeps  track  of  where  to  begin  when  it  is 


§2 


Programming  with  function  and  control  abstractions. 


17 


resumed.  The  idea  was  originally  presented  in  [Conway  1963]  as  a  means  of  sepa¬ 
rating  a  laxge  compiling  program  into  a  number  of  small  independent  procedures. 
Each  procedure  is  a  coroutine  responsible  for  some  phase  in  the  transformation 
of  a  source  program  into  the  compiled  code.  Another  common  use  of  coroutines 
is  for  dealing  with  streams  of  characters  in  networks.  As  a  particular  example, 
we  adapt  a  segment  of  network  code  from  the  Stanford  WAITS  operating  system 
that  uses  coroutining  (J.  Weening  -  private  communication).  This  code  deals  with 
a  situation  where  one  gets  data  in  a  stream  of  36-bit  words,  but  would  like  to 
see  it  as  8-bit  bytes.  There  is  a  coroutine  INBYTE  responsible  for  getting  the 
next  byte  from  the  36-bit  word  stream.  Another  coroutine  which  uses  the  8-bit 
bytes,  for  example  to  generate  a  32-bit  word  stream,  resumes  INBYTE  each  time 
another  byte  is  needed.  INBYTE  has  nine  segments  of  code,  one  for  each  of  the 
nine  bytes  contained  in  two  consecutive  36-bit  words.  To  illustrate  the  main  fea¬ 
tures  we  outline  the  machine  code  (based  on  the  DEC10  language  FAIL)  for  a 
simplified  version  C32  that  transforms  3-bit  streams  into  2-bit  streams.  Here  IN 
is  the  coroutine  generating  the  3-bit  stream  and  OUT  is  the  coroutine  requiring  a 
2-bit  stream.  We  assume  4  registers  reserved  as  follows: 

A  for  control  communication  between  C32  and  IN 
B  for  control  communication  between  C32  and  OUT 
C  for  data  communication  between  C32  and  IN 
D  for  data  communication  between  C32  and  OUT 

The  instruction  JSP  A,  (A)  jumps  to  the  location  contained  in  A  and  replaces  the 
contents  of  A  by  the  location  plus  1.  JRST  loc  jumps  to  loc.  Initially  A  contains 
the  address  of  IN  and  B  contains  the  address  of  C32.  OUT  resumes  C32  by  JSP 
B ,  (B) .  The  code  for  C32  is 

C32:  JSP  A,  (A) 

C32a:  move  bits  C0-C1  into  D0-D1 

JSP  B,(B) 

C32b:  move  bit  C2  into  DO 

JSP  A, (A) 

C32c:  move  bit  CO  into  D1 

JSP  B, (B) 

C32d:  move  bits  C1-C2  into  D0-D1 

JSP  B,(B) 

JRST  C32 

In  Ram  we  represent  coroutine  interaction  without  using  internal  state  and  updat¬ 
ing  by  passing  shared  data  and  resumption  points  as  parameters.  Resumption  is 
described  by  the  pfn  Resume[ou<,  x]  which  resumes  the  context  represented  by  out 
passing  it  a  continuation  representing  the  context  in  which  the  call  occurs  and  the 
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additional  parameters  x.  [x  may  be  the  empty  sequence  and  hence  may  be  omitted 
in  calls  to  Resume.]  To  describe  coroutine  C32  we  define  a  pfn  C32  that  takes  a 
coroutine  in  generating  a  sequence  of  bits  segmented  as  strings  of  length  three  and 
returns  a  coroutine  generating  the  same  sequence  of  bits  segmented  as  strings  of 
length  two.  Thus  C32 (in)  takes  a  continuation  out  representing  the  resumption 
point  of  its  resumer  and  will  eventually  resume  out  with  the  next  output  string. 
Dually,  when  C32(m)  wants  the  next  input  string  it  will  resume  in  and  eventually 
be  resumed  with  the  next  resumption  point  of  in  and  the  next  input  string. 

t>  C32(m)[out]  <—  let{[m,  to]  Resume[m]} 

let{[x0,xi,x2]  -<-StrUn  (u>)} 

let  {out  Resume[out,  StrMk[x0,  xi]]} 

let  {[in,  tu]  Resume[m]} 

let{[x3,x4,x5]  -<-StrUn  («0) 

let{out  Resume[out,  StrMk[x2,  x3)]} 

let{out  -*■  Resume[out,  StrMk[x4, x5]]} 

C32  (in,  out) 

To  evaluate  an  expression  of  the  form  let{[x0, . . .  ,x„] -e ^rgl^body  first  v?arg  is 
evaluated,  then  then  x j  is  associated  with  the  i-th  element  of  the  value  of  y?arg  and 
V^body  is  evaluated.  Thus 

let{[x0,xi,x2]  -eStrUn("abc")}StrMk[x0,xi]  £  "ab" 

If  we  think  of  let  as  assignment  then  the  above  definition  looks  like  code  written 
in  a  standard  imperative  language. 

In  order  to  conveniently  discuss  properties  of  C32  we  add  “labels”  naming 
the  resumption  points  of  C32.  More  precisely  we  define  auxiliary  pfns  C32a,  C32b, 
C32c,  and  C32d  corresponding  to  the  remainder  of  the  computation  at  each  re¬ 
sumption  point.  These  pfns  have  the  following  properties 

C32(in)[out)  £  C32a(ou*)(Resume(*n)) 

C32a (out) [in,  to]  =  let{[x0,xi,x2]  -e  StrUn(u;)} 

C32b(m,  x2  )(Resume[ou<,  StrMk[x0,  xj]]) 

C32b(m,  x2)[oui]  =  C32c(  out,  x2)(Resume(m)) 

C32c( out,  x2 )[m,  tu]  =  let{[x3,x4,x5]  -e  StrUn(u>)} 

C32d(in,  x4 ,  X5 )( Resumefout ,  StrM  k[x2 ,  x3]]) 
C32d(m,x4,x5)[cmt]  =  C32(m)(Resume[out,  StrMk[x4,  x5]]) 
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In  each  case  the  first  list  of  parameters  (...)  lists  the  state  to  be  retained  and  the 
second  list  [. . .]  names  the  components  of  the  argument  passed  to  the  coroutine 
upon  resumption. 

The  key  to  computing  with  coroutines  is  to  note  that  resumptions  come  in 
pairs  -  the  first  executed  by  the  resumer  and  the  second  by  the  resumee.  When  a 
coroutine  g  generating  a  sequence  <x  is  resumed  it  will  eventually  resume  its  resumer 
with  the  next  element  of  a  in  a  context  representing  the  next  resumption  point  of 
g.  Thus  Resume^)  will  be  equivalent  to  Resume(Afc.<7'(Resume[Jb,  z]))  where  z  is 
next  element  of  a  and  g'  is  the  coroutine  generating  the  rest  of  the  sequence.  For 
this  use  of  resumption  the  key  property  of  Resume  is  given  by  resumption  theorem 
(res. res).  1 

(res.res)  Resume(Afc.0'(Resume[&,  z]))  =  [top  o  g z] 

and  thus  for  g  as  above  we  have 

(co)  Resume^)  =  [top  o  g',  z). 

These  properties  of  coroutines  and  resumption  are  all  we  will  use. 

To  see  how  this  works  in  our  string  transformation  example,  let  in  be  a  corou¬ 
tine  generating  strings  of  length  three  whose  first  two  elements  are  "abc"  and 
"def "  and  whose  remainder  coroutines  axe  in\  and  in 2.  Then 

(Ini)  Resume(m)  =  [top  0  mi ,  "abc"] 

(In2)  Resume(mi)  =  [top  o  in2,  "def"] 

We  can  compute  the  results  of  three  successive  resumptions  of  C32(m)  as  follows. 

(Res.l)  Resume(C32(m))  =  Resume(Afc.C32(m,  k)) 

=  Resume(A/;.C32a(fc)(Resume(m)))  ;;  dfn  C32 
—  Resume(AA:.C32a(fc)[top  o  mlt  "abc"])  ;;  (Ini) 

—  Resume(AA:.C32b(top  0  mi,#c)}(Resume[&,  "ab"]))  ;;  dfn  C32a 

—  [top  o  C32b(top  oim,  #c),  "  ab"] 

;;  (res.res) 

(Res. 2a)  C32b(top  o  *m,#c)(fc)  =  C32c(fc,#c)(Resume(top  0  ini))  ;;  dfn  C32b 


top  o  p  converts  a  pfn  p  into  a  pfn  that  discards  its  context  and  applies  p.  This 
corresponds  to  to  the  application  of  p  at  the  top  level. 
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-  C32c (k,  #c)[top  o  m2,  "def  "]  ;;  (ln2) 

—  C32d(top  o  i?2,  #e,  #f  )(Resume[A:,  "cd"])  ;;  dfn  C32c 

(Res. 2)  Resume(C32b(topomi,#c))  £  [top  o  C32d(top  o  m2,#e,#f),  "cd"] 

;;  (Res.2a)  and  (res. res) 

(Res. 3a)  C32d(top  o  in2,  #e,  #f  )(fc)  =  C32(top  o  m2)(Resume[it,  "ef "]) 

;;  dfn  C32d 

(Res. 3)  Resume(C32d(top  o  m2,#e,#f))  £  [top  o  C32(top  o  m2),  "ef "] 

;;  (Res.3a)  and  (res.res) 

Note.  Streams  and  coroutines  are  alternatives  for  providing  sequential  access  to 
data.  Both  provide  the  capability  to  delay  computation  of  the  next  element  of  the 
sequence  until  it  is  needed.  Both  allow  the  representation  of  infinite  sequences. 
They  differ  in  the  mechanism  for  accessing  the  elements  of  sequences  (apply  vs  re¬ 
sume)  and  in  the  mechanism  for  remembering  the  internal  state  (noting  vs  lambda 
abstraction).  Using  the  Rum  representations  of  streams  and  coroutines  one  can  de¬ 
fine  pfns  that  convert  streams  to  coroutines  and  coroutines  to  streams,  preserving 
the  sequences  generated.  Endnote. 
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3.  The  meta  world. 

Now  we  review  the  mathematical  structures  and  tools  to  be  used  in  the  defini¬ 
tion  and  application  of  'Rum.  They  are  finite  sequences,  finite  maps  and  inductive 
generation  of  domains,  operations,  and  relations.  The  point  is  to  establish  nota¬ 
tion  as  we  assume  that  the  reader  is  familiar  with  these  notions.  First  some  basic 
notation.  N  is  the  set  of  natural  numbers,  0, 1, . . .  and  t,  j,  k,  /,  m,  n  will  range  over 
N.  For  expressions  eo  and  ei,  eo(ei)  is  the  application  of  the  function  expressed 
by  eo  to  e\.  For  sets  A  and  B,  A  x  B  is  the  cartesian  product  of  A  and  B  with 
elements  (a,  b )  for  a  €  A  and  b  €  B,  and  we  write  A  ©  B  for  the  union  of  A  and 
B  when  A  and  B  are  disjoint.  Similarly  for  n-ary  products  (whose  elements  are 
n-tuples)  and  sums.  [A  — ►  B]  is  the  set  of  functions  from  A  to  B  and  [A  A  B] 
is  the  set  of  partial  functions  from  A  to  B.  In  the  presence  of  partial  functions, 
eo  =  ei  (eo  ei)  means  that  both  expressions  eo  and  ei  are  defined  and  have  the 
same  value  (distinct  values). 

As  to  general  format,  definitions  are  marked  by  the  sign  >  which  may  be 
followed  by  a  name  for  later  reference.  We  use  □name  to  mark  the  end  of  a  proof 
named  (name). 

3.1.  Finite  Sequences. 

For  any  set  A,  A*  is  the  domain  of  sequences  from  A.  □  is  the  empty  sequence 
and  has  length  0.  If  uo  and  tq  are  sequences  then  [uo,  t>i]  is  the  concatenation  of  vq 
and  tq .  Its  length  is  the  sum  of  the  lengths  of  Vo  and  v\ .  The  length  of  a  sequence 
v  is  denoted  by  |v|.  Formally  there  is  an  injection  map  from  A  to  the  sequences  of 
length  one  in  A*.  Informally  we  will  not  distinguish  elements  of  A  from  singleton 
sequences.  If  a  is  an  element  of  A  and  v  is  a  sequence  then  [a,  u]  is  a  non-empty 
sequence;  1st  [a,  v]  is  a,  the  first  element;  and  rst  [a,  i>]  is  u,  the  remainder.  1st  □  is  □ 
and  r^D  is  □.  For  i  <  |v|,  vj.,-  is  the  ith  element  of  v.  In  particular,  u|o  =  1st  v  and 
uJ.i+1  =  (rst  u)| ,.  Concatenation  is  associative  with  the  empty  sequence  as  right 
and  left  identity.  We  write  [iq ,  ...  ,  un]  for  the  concatenation  of  the  sequences 
ui,  ...  ,  vn.  a  is  a  member  of  v  (written  a  €  v)  iff  v  is  [u0,  a,  tq]  for  some  sequences 
u0,  vi. 

We  distinguish  A  x  A  from  the  subset  of  A*  consisting  of  sequences  length  2. 
This  is  because  we  wish  to  talk  conveniently  about  multi-ary  operations  whose  ar¬ 
gument  domains  may  be  sequence  domains.  Thus  (tq , . . . ,  vn)  (as  in  /(tq , . . . ,  vn)) 
is  an  n-tuple  of  sequences  and  is  not  the  same  as  [tq , . . . ,  un].  From  the  tuple  each 
Vi  can  be  retrieved  intact  while  in  the  concatenation  expression  they  become  part 
of  a  single  sequence. 


22 


§3 


3.2.  Finite  Maps. 


Finite  maps  are  functions  with  finite  domains.  We  represent  such  maps  as 
finite  sets  of  argument  value  pairs  called  bindings.  For  sets  A  and  B,  [A  -4  B]  is 
the  set  of  finite  maps  from  A  to  B.  It  is  generated  from  the  empty  map  {  }  by  the 
binding  operation.  The  domain  of  the  empty  map  is  the  empty  set  0  (also  written 
{  }).  For  a  €  A,  b  €  B,  and  f  a  finite  map  from  A  to  B ,  £{a  +  b}  is  the  map 
obtained  from  £  by  binding  b  to  a.  The  domain  of  £{a  -e  6}  is  obtained  from  the 
domain  of  f  by  adding  a.  For  a'  in  the  domain  of  f  {a  +  b}  we  have 


■+ 


b 

£(«') 


if  a'  =  a 
if  o'  #  a. 


Two  finite  maps  are  equal  just  when  they  are  equal  as  functions.  Different  con¬ 
structions  may  give  rise  to  the  same  functions  since  the  order  in  which  bindings  of 
different  elements  of  the  domain  are  added  does  not  matter  and  old  bindings  are 
forgotten. 


3.3.  Inductive  generation. 


Finite  inductive  generation  is  our  main  tool  for  defining  domains,  operations 
and  relations.  An  inductively  generated  domain  is  defined  by  giving  rules  for  con¬ 
structing  elements  of  the  domains  and  rules  for  determining  equality.  The  domains 
contain  only  the  elements  obtained  by  finitely  many  constructions.  Elements  gen¬ 
erated  by  different  constructions  are  different  unless  they  can  be  proved  equal 
using  the  rules  for  equality.  Abstractly  these  domains  are  essentially  initial  alge¬ 
bras  where  the  signature  of  the  algebra  can  be  read  from  the  construction  rules. 
For  such  domains  we  have  principles  for  definition  and  proof  by  induction  on  the 
generation  of  objects  in  the  domain.  For  example  the  domain  of  finite  maps  from 
A  to  B  is  an  inductively  generated  domain.  There  are  two  constructors,  the  empty 
map  and  the  binding  operation,  equality  of  maps  is  equality  of  the  corresponding 
functions,  and  the  application  laws  for  finite  maps  and  the  definition  of  the  domain 
of  a  finite  map  axe  defined  by  finite  map  induction. 


Operations  and  relations  may  also  be  defined  by  inductive  generation.  For 
this  purpose  we  think  of  operations  as  just  a  special  kind  of  relation.  Relations 
are  defined  by  giving  a  set  of  rules  for  determining  whether  a  given  tuple  is  in  the 
relation.  Formally  the  defined  relation  is  the  least  relation  (set  of  tuples)  satisfying 
the  closure  conditions  expressed  by  the  rules.  The  rules  are  often  presented  as 
logical  implications.  For  inductively  defined  relations  there  are  also  corresponding 
principles  of  proof  by  induction. 


We  refer  the  reader  to  Feferman  [1982]  for  a  theory  of  finite  inductive  def- 
mitions,  to  Goguen  and  Meseguer  [1983]  for  more  about  initial  algebras,  and  to 
1  osc^ovakis  [1975]  or  Aczel  [1977]  for  a  general  theory  of  inductive  definitions. 
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3.4.  The  S-expression  data  structure. 

Computation  in  'Rum  is  defined  relative  to  a  fixed  but  arbitrary  data  struc¬ 
ture  D.  We  assume  only  that  S  is  a  structure  (ID,  QD)  where  D  is  the  domain 
of  data  elements  and  O1'1  is  a  set  of  data  operations  mapping  ID*  to  0*.  The  S- 
expression  data  structure  £)sexp  =  (D9eXp,  0D9exP)  is  typical  of  the  data  structures 
we  have  in  mind.  It  contains  a  variety  of  data  construction  primitives  and  pro¬ 
vides  an  abstraction  of  the  algebraic  aspects  of  data  structures  commonly  used  in 
symbolic  computation.  The  S-expression  domains  and  operations  are  summarized 
in  Figure  1. 


Sort 

Constructor 

Constructor 

Domain 

Recog¬ 

nizer 

Uncon¬ 

structor 

Dzero 

ZeroMk 

Mt 

Zerop 

Dneg 

Subl 

Dneg  0  DZero 

Negp 

Addl 

Dpos 

Addl 

Dpos  0  DZCro 

Posp 

Subl 

Dstr 

StrMk 

D*  t 

“^int 

Strp 

Strlln 

Dnul 

MtIMk 

Mt 

Mtlp 

Dpair 

PairMk 

Dsexp  X  Dsexp 

Pairp 

Pairlln 

Figure  1.  The  S-expression  data  structure 

The  elements  of  the  S-expression  domain  DseXp  are  of  four  sorts:  Dmti,  Dint, 
Dstr,  and  Dpair-  IDmti  contains  a  single  object,  the  empty  list;  the  elements  of  Bjnt 
are  the  integers;  the  elements  of  Dstr  are  strings  of  integers;  and  Dpair  consists  of 
pairs  of  S-expressions.  To  describe  the  generation  of  DseXp,  we  split  Dint  into  three 
sorts:  Dneg  -  the  negative  integers;  IDzero  -  the  integer  0;  and  IDpos  -  the  positive 
integers. 

The  primitive  S-expression  operations  ©Dsexp  are  constructors,  unconstruc¬ 
tors,  and  recognizers  for  each  of  the  sorts.  Dsexp  is  freely  generated  by  the  con¬ 
struction  operations  applied  to  their  construction  domains.  Dzero  is  generated  by 
ZeroMk  applied  to  the  empty  sequence;  Dneg  is  generated  by  Subl  applied  to  non¬ 
positive  integers;  and  Dpos  is  generated  by  Addl  applied  to  non-negative  integers. 
IDmti  is  generated  by  MtIMk  applied  to  the  empty  sequence;  Dstr  is  generated  by 
StrMk  applied  to  sequences  of  integers;  and  Dpair  is  generated  by  PairMk  applied 
to  S-expression  sequences  of  length  2. 


24 


§3 


An  unconstructor  applied  to  an  element  of  the  corresponding  sort  returns  the 
sequence  from  which  that  element  was  constructed.  PairUn  is  the  unconstructor 
for  pairs  and  StrUn  is  the  unconstructor  for  strings.  Addl  serves  as  the  un con¬ 
structor  for  negative  integers,  and  Subl  as  the  unconstructor  for  positive  integers. 
[Lnconstructors  for  singleton  domains  are  omitted.] 

A  recognizer  applied  to  an  element  of  the  sort  that  it  recognizes  returns  that 
element.  The  recognizer  for  Bneg  is  Negp;  for  Bzero  is  Zerop;  for  Bp09  is  Posp;  for 
Dstr  is  Strp;  for  Dmti  is  Mtlp;  and  for  Dpajr  is  Pairp. 

A  constructor  applied  to  a  sequence  not  in  its  construction  domain  and  an 
unconstructor  or  recognizer  applied  to  anything  other  than  a  data  element  of  the 
corresponding  sort  return  the  empty  sequence. 

These  basic  operations  are  sufficient  to  define  any  computable  function  on  the 
S-expression  domain.  For  simplicity  we  will  assume  some  additional  operations  are 
given.  These  include  standard  arithmetic  operations  such  as  +  and  *,  standard 
projection  operations  on  pairs  Car  and  Cdr,  and  Atom  the  negation  of  Pairp.  To 
conform  to  traditional  Lisp  notation  we  will  use  Cons  as  another  name  for  PairMk 
and  will  also  use  Nil  to  denote  the  empty  list. 

We  will  use  the  usual  notation  for  integers  and  pairs  strings  and  lists  Thus 
ZeroMk(o)  =  0,  Addl(0)  =  1,  Subl(0)  =  -1,  and  PairMk[a,6]  =  a  .  b.  #a,  #b, 
;•  •  ’  denote  integer  codes  for  the  characters  ‘a’,  ‘b’,  etc.  and  StrMk[#a,#b,#c]  = 
"abc".  Lists  are  the  subset  of  S-expressions  generated  from  the  empty  list  <>  by 
pairing  arbitrary  S-expressions  with  fists.  Thus  MtlMk(o)  =  <>  and  <ai  ...  an> 
abbreviates  ax  .  (. . .  (a„  •<>)...)  as  usual. 

The  following  equations  illustrate  the  laws  for  data  operations: 

Pairp(a0  *  aj)  =  a0  •  cq  PairUn(a0  •  ai)  =  [a0,ai] 

Pairp("abc")  =  □  PairUn("abc")  =  □ 

Mtlp(<a>)  =  □  Mtlp(o)  =  <> 

Addl(Subl(0))  =  0  Addl(a)  =  □ 

StrUn("abc")  =  [#a,#b,#c] 


A 


§4 


The  7 vum  world. 
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4.  The  Rum  world. 

Rum.  is  a  theory  of  computation  developed  with  the  goal  of  treating  both 
intensional  and  extensions!  aspects  of  programs  that  use  functional  and  control 
abstractions.  Many  of  the  ideas  have  analogs  in  [Landin  1964,5,6],  [Reynolds 
1972],  [Wegner  1971,2],  and  [Steele  and  Sussman  1975].  In  this  section  we  define 
the  basic  domains,  operations,  and  relations  and  introduce  some  further  notation. 
More  detailed  developments  of  the  computation  theory  and  proofs  of  theorems  can 
be  found  in  Talcott[1985]. 

We  assume  that  a  set  of  symbols  §j»,  a  data  domain  B,  and  set  of  data  op¬ 
erations  QD  acting  on  sequences  from  B  are  given.  The  S-expression  structure 
described  in  §3  is  an  example  of  a  data  domain  and  set  of  data  operations. 

4.1.  Domains  of  Rum. 


Figure  2  lists  the  domains  (sorts  of  objects)  of  Rum  together  with  metavari¬ 
ables  ranging  over  these  domains. 


Name 

Notation 

Description 

Data 

D 

domain  of  the  given  data  structure 

€  D* 

sequences  form  the  data  domain 

Data  operations 

o  e  oD 

operations  of  the  given  data  structure 

Symbols 

s  €  §v 

for  naming  values 

Forms 

V  €  F 

expressions  describing  computations 

Continuation  forms 

Fe#  C  F 

for  making  continuation  segments 

Environments 

£  €E 

finite  maps  from  symbols  to  values 

D trees 

6  G 

description  trees 

Pfns 

p  €  P 

descriptions  of  partial  functions 

Continuations 

7  €  Co 

descriptions  of  computation  contexts 

Operations 

i?  €  0 

data  operations,  pfns,  continuations 

Computation  Domain 

a  €  V 

data  and  operations 

Values 

u,v  e  V* 

sequences  from  computation  domain 

States 

C  €  & 

states  of  sequential  computations 

Figure  2. 

Rum  Domains 
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As  discussed  in  §3  the  Rum  domains  are  essentially  many-sorted  initial  al¬ 
gebras.  They  are  presented  by  the  defining  equations  given  in  Figure  3.  The 
summands  in  the  equations  indicate  the  name  and  arity  of  the  domain  element 
constructors.  A  constructor  applied  to  a  tuple  of  domains  denotes  the  set  of  ob¬ 
jects  obtained  by  applying  the  constructor  to  all  tuples  of  objects  in  the  tuple 
of  domains.  For  example  A  is  a  form  constructor  with  two  arguments,  a  symbol 
and  a  form  and  A(S»,  F)  is  the  set  of  forms  A (s,  p)  for  «  a  symbol  and  <p  a  form. 
The  defined  domains  are  the  least  sets  satisfying  these  equations.  Foments  with 
different  constructions  are  distinct  unless  they  can  be  proved  equal  by  the  equality 
rules  to  be  explained  below. 


F  ~  §y  ©  A(Sy,  F)  ©  app(F,  F)  ©  if(F,  F,  F)  ©  mt  ©  cart(F,  F)  ©  fst(F)  ©  rst(F) 
©top  ©  note(Sy,  F) 

Fc.  ~  ifi(F,F)  ©  appi(F)  ©  appc(Sy)  ©  carti(F)  ©  cartc(S»)  ©  fstc  ©  rstc 
ID>t  ~  {(<£>  :  £)  |  Frees(<p)  C  Pom(f)} 

P  ~  {(A(s,<,s>)  :  f)|Frees(A(s,<£>))  C  £om(f)} 

O  ~  top  ©  {Co  o  (<p  :  £)  \Frees((p)  C  Dom(f)  A  <p  £  Fc«} 

&  ~  (Co  v  OJt)  0  (Co  a  V*) 

0~0D©P©Co  V  ~  D  ©  O  E  ~  [Sy  4  V*] 
where 

»  <^2  )  =  A(s,  ,  if(s*  ,<fii,(p2)) 

appi(v?i)  =  A(5.,app(a.)Vji)) 
appc(5)  =  A(s„,app(s,s«)) 

carti(^1)  =  A(5.,cart(5.,v?1)) 

cartel)  =  A(s.,  cartes.)) 
fstc  =  A(s,,fst(a,)) 
rstc  =  A(s,, rst(s.)) 

with  5,  chosen  so  as  to  occur  only  where  explicitly  shown. 

_  Figure  3.  Domain  equations 
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About  Forms.  Expressions  called  forms  are  the  syntactic  objects  -  our  pro¬ 
gramming  language.  Forms  are  generated  from  the  set  §y  of  symbols  and  the 
constants  mt  and  top  (for  naming  the  empty  sequence  and  the  empty  context 
respectively)1  by  the  constructions  app  (application),  A  (function  abstraction), 
note  (control  abstraction),  if  (conditional),  cart  (sequence  concatenation),  and  fst 
and  rst  (sequence  selection),  note  is  the  "Rum  analog  of  Landin’s  J  operator,  and 
the  catch  construct  of  Scheme  [Steele  and  Sussman  1975]  (known  as  call/cc  in 
modern  versions  of  Scheme  [Rees  and  Clinger  1986]).  It  binds  the  continuation 
representing  the  current  computation  context  to  the  noted  symbol.  For  conditional 
branching,  the  empty  sequence  represents  false  and  any  non-empty  sequence  rep¬ 
resents  true.  A  and  note  are  binding  constructs.  Bound  and  free  occurrences  of 
symbols  in  forms  are  defined  as  usual  and  Frees(<p)  is  the  set  of  symbols  occur¬ 
ring  free  in  y>.  Two  forms  are  equal  if  they  have  the  same  construction  modulo 
renaming  of  bound  variables  (a-conversion).  <^>{s/<^o}  is  the  result  of  replacing 
free  occurrences  of  s  in  <p  by  <po  (with  renaming  of  bound  symbols  in  <p  if  nec¬ 
essary  to  avoid  trapping  of  free  symbols  in  <po).  We  will  use  c,  /,  g,  h,x,y,z  and 
other  identifiers  not  otherwise  reserved  to  denote  particular  symbols  when  writing 
particular  forms.  Distinct  identifiers  are  assumed  to  denote  distinct  symbols.  We 
use  traditional  notation  for  application  and  abstraction.  Thus  we  generally  write 
A x./(x)  for  A(/,app(/,x)).  Other  convenient  abbreviations  and  notation  will  be 
given  later. 

About  Dtrees.  To  describe  a  particular  computation,  a  form  is  closed  in  an 
environment  that  assigns  a  sequence  of  elements  from  the  computation  domain  to 
the  free  symbols.  This  closure  is  called  a  dtree  (for  description  tree)  to  emphasize 
the  relation  between  the  tree  structure  of  a  form  and  the  local  structure  of  the 
computation  described  by  the  form.  Two  dtrees  are  equal  just  when  they  differ 
by  renaming  of  environment  bound  symbols  (i);  by  renaming  of  A-  or  note-  bound 
symbols  (ii);  or  by  modifying  bindings  of  symbols  not  free  in  the  form  (iii). 

(i)  (cart(x,x)  :  f)  =  (cart(x,y)  :  £)  ;;  if  £(x)  =  f(y) 

(ii)  (Ax.note(c)/(cart(c,  x))  :  £)  =  (Ay.note(k)/(cart(fc,y))  :  f) 

(iii)  (x  :  0  =  (x  :  £{y-<-u}) 

Note  that  by  our  convention  in  (iii)  x  and  y  axe  distinct  symbols. 

About  values.  The  computation  domain  contains  data,  data  operations,  pfns , 
and  continuations. 


1  We  use  top  to  denote  both  the  form  and  the  corresponding  continuation.  Context  will 
determine  the  meaning  in  cases  where  the  distinction  is  important. 
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Structurally  pfns  are  just  A-dtrees  and  two  pfns  are  equal  just  when  the  cor¬ 
responding  dtrees  are  equal.  Computationally  pfns  are  functional  abstractions 
analogous  to  Landin’s  closures.  The  computation  described  by  application  of  a 
pfn  to  a  value  is  that  described  by  the  dtree  whose  form  is  the  body  of  the  lambda 
form  and  whose  environment  is  the  result  of  binding  the  value  to  the  lambda 
variable  in  the  pfn  environment. 

Continuations  represent  computation  contexts  built  up  in  the  process  of  car¬ 
rying  out  computations.  Structurally  they  are  sequences  of  dtrees  whose  form 
components  are  continuation  segment  forms.  Two  continuation  segments  are  equal 
just  when  the  corresponding  dtrees  are  equal  and  two  continuations  are  equal  just 
when  they  the  same  length  and  corresponding  segments  are  equal.  Computation¬ 
ally  continuations  are  control  abstractions.  Applying  a  continuation  to  a  value 
means  resuming  computation  in  the  context  represented  by  the  continuation,  re¬ 
turning  the  value  and  discarding  the  current  context. 

The  only  further  rules  of  equality  are  the  equality  rules  for  finite  maps  and 
finite  sequences  explained  in  §3. 

4.2.  Operations  and  relations. 


Figure  4  summarizes  the  operations  and  relations  on  'Rum  domains  defined 
below.  The  sign  for  each  operation  or  relation  is  given  together  with  its  axity. 


Name 

Notation  and  aritv 

Single  Step 

€[&-£►  &] 

Step 

►  C  [&  x  St] 

C-seq  formation 

Cs  €  [Dt  -4  &*] 

Evaluation 

<-*■  €  [Dt  A  V*] 

Reduces-to 

>fC[OixIfc] 

Defined  ness 

11  C  D « 

Figure  4.  Relations  and  operations  of  7vum 
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4.2.1.  Computation  rules. 

Computation  is  modeled  as  a  process  of  generating  sequences  of  structures 
called  computation  states.  This  is  similar  to  the  approach  of  Wegner.  Computation 
states  together  with  the  single  step  (next  state)  relation  constitute  an  abstract 
machine  analogous  to  the  SECD  machine  of  Landin.  The  Thim  abstract  machine 
is  very  similar  to  the  abstract  machine  implicit  in  the  first-order  continuation 
passing  interpreter  of  Reynolds  and  to  the  abstract  machine  from  which  Felleisen 
and  Friedman  derive  their  control  calculus. 

Computation  states  come  in  two  flavors  begin  states  7  v  6  constructed  from 
a  continuation  7  and  a  dtree  8  and  return  states  7  ^  u  constructed  from  a  con¬ 
tinuation  7  and  a  value  v.  The  continuation  component  of  a  state  represents  the 
current  context.  The  dtree  component  of  a  begin  state  represents  the  current 
expression  -  the  subcomputation  to  begin  next.  A  return  state  corresponds  to 
returning  the  value  component  to  the  current  context.  Continuations  axe  compo¬ 
sitions  of  segments  corresponding  to  steps  in  building  up  the  context  represented. 
The  continuation  top  represents  the  empty  context  (top  level).  If  7  represents 
the  context  for  (<£0(^1)  :  0>  the  application  of  ipo  to  ip\  in  environment  f,  then 

7  0  (appi(v?i)  :  £)  represents  the  context  for  the  evaluation  of  the  function  part 
{ipo  :  £).  If  (ip 0  :  £)  returns  value  v  then  7  o  appc(u)  represents  the  context  for 
evaluation  of  the  argument  part  (<pi  :  £).  If  7  represents  the  context  for  the  eval¬ 
uation  of  (if(<^o,¥?i,¥>2)  :  £)  then  7  o  (ifi(<pi,  </?2)  :  f)  represents  the  context  for  the 
evaluation  of  the  test  part  (ipo  •  £)•  Similarly  for  cart  (segment  constructors  carti, 
carte)  fst  (segment  constructor  fstc),  and  rst  (segment  constructor  rstc).  Note  that 
we  use  some  abbreviations  in  writing  continuation  segments.  For  example  appc(u) 
abbreviates  (appc(x)  :  x-*-v)  since  the  choice  of  symbol  is  irrelevant,  and  fstc 
abbreviates  (fstc  :  £)  since  the  environment  is  irrelevant. 

Computation  proceeds  by  applying  the  step  rules  to  obtain  a  sequence  of 
states  called  a  computation  sequence.  The  form  and  continuation  segment  con¬ 
structors  correspond  to  abstract  machine  instructions.  For  begin  states  7  v  6  the 
rule  to  be  applied  is  determined  by  the  construction  of  the  form  component  of  8.  If 

8  is  primitive  its  value  is  returned  to  7.  Otherwise  a  subexpression  of  8  is  selected, 
a  continuation  segment  is  added  to  the  continuation  recording  the  information 
needed  to  continue  when  the  value  of  the  selected  subexpression  is  returned,  and 
computation  described  by  the  subexpression  is  begun.  A  return  state  top  a  v  is 
terminal.  For  return  states  (7  o  i/>)  a  d  the  rule  to  be  applied  is  determined  by 
the  component  of  the  top  segment  i\>.  If  this  corresponds  to  a  basic  computation 
primitive  (ifi,  appe,  carte,  fstc,  rstc)  it  is  executed.  Otherwise  the  next  .subexpres¬ 
sion  to  process  is  chosen  and  the  top  segment  is  replaced  by  a  new  segment  that 
remembers  the  returned  value  and  any  additional  information  needed. 
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>""**  is  the  least  relation  on  states  satisfying  the  following: 

(sym)  77.(«  :  f)  >->, 

(lam)  7  v  (A(s,<^body)  :  0  W,  7  *  <A(s,v>body)  :  f) 

(app)  7  v  (app(<y?fun,<pirg)  ;  >— ♦,  y  o  (appi(y>arg)  ?  £)  v  (<^fun  ;  £) 

(appi)  7o(appi(v?«g)  :  0  A  v/un  >-♦,  (7  0  appc(v/„n ))  v  (<p4rg  :  f) 

(o)  7  o  appc(o)  a  <*  7  A  0(d) 

(appc)  7  O  appC((A(s,9)  5  0)  A  »«rj  >—*,  7  v  (<?  :  £{«-*•  War*}) 

(SW)  7  0appc(7o)A  Varfl  70  ±Varg 

((f)  7  v  (if(v’te.t,V?then,  Velse)  !  £)  K  7»  (W(^»bM ,  Wm)  !  0  v  j  f) 

(ifi)  7  o  (ifl(vtb«i,  Vh.)  :  0  a  vu.t  H,7»(  j*th“  :  ?  if  t,‘e“  *  ° 

l  (v’elee  :  £)  if  V(e,t  =  □ 

(mt)  7  v  mt  >— ►,  7  a  o 

(cart)  7  v  (cart(v>ih»,v?rhB)  :  £)  >— ►,  7  o  (carti(y>rhs)  :  £)  v  (<plh8  :  f) 

(carti)  7  o  (carti^rhs)  :  £)  a  x-+4  7  o  cartc(tvfc,)  v  (<prh6  :  f) 

(carte)  7  0  cartc(u//1<)  a  vrh,  >— ►,  7  a  [v/A,,t>rA,] 

(fst)  7  v  (fst(v?,eq)  :  0  x-4  7  0  fstc  V  (<peeq  :  £) 

(fStc)  7  o  fstC  a  v,eq  W.  7  a  1“  (,|#f) 

(rst)  7  V  (rst(<,p,eq)  :  £)  x->4  7  o  rstc  v  (yj,,,,  :  £) 

(rstc)  7  o  rstc  a  v,eq  >-*,  7  A  r«  (v#e?) 

(top)  7  v  top  7  a  top 

(note)  7  v  (note(s)v? :  0  >-*,  7  *  (*? :  £{a  7}) 

*■  Is  the  transitive  reflexive  closure  of  >— +, . 


Figure  5.  Rules  for  stepping 

~~  —  ■ — - - - - - - - 

4.2.2.  Computation  sequences. 

>  (Steps):  The  single-step  relation  ( )  and  the  step  relation  (  X-  )  are  defined 
m  Figure  5.  A  step  is  a  pair  of  states  (Co,Ci)  such  that  (0  > — Ci-2 

It  is  easy  to  see  from  the  definition  that  the  single-step  relation  is  a  functional 
relation.  This  is  expressed  by  the  unicity  lemma. 

Lemma  (single-step  is  functional):  £  >—*t  (0  a  (  =*►  (^0  =  Ci- 


‘One  might  also  include  the  rule  applied  as  part  of  a  step.  In  Hum  the  rule  is  uniquely 
determined  by  the  first  state. 
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7  V  (if(Zerop(x),c(x),x)  :  £) 

>— 7  0  (ifi(c(x),x)  :  £)  v  (Zerop(x)  :  £) 

on 

>-+70  (ifi(c(x),x)  :  £)  0  (appi(x)  :  £)  v  (Zerop  :  £) 

(app) 

>— *•  7  0  (ifi(c(x),x)  :  £)  0  (appi(x)  :  £)  a  Zerop 

(sym) 

H  70  (ifi(c(x),x)  :  £)  0  appc(Zerop)  v  (x  :  £) 

(appi) 

H  70  (ifi(c(x),x)  :  £)  0  appc(Zerop)  a  0 

(sym) 

W  7  0  (ifi(c(x),x)  :  £)  a  0 

(Zerop) 

^  7  v  (c(x)  :  £) 

(ifi) 

H  7°  (appi(x)  :  £)  v  (c  :  £) 

(app) 

>— ►  7  0  (appi(x)  :  £)  a  top 

(sym) 

H  70  appc(top)  v  (x  :  £) 

(appi) 

H70  appc(top)  a  0 

(sym) 

>— ►  top  A  0 

(sw) 

where  £  maps  x  to  0,  c  to  top,  and 

maps  the  symbol  Zerop  to  the  S-expression  operation  Zerop. 

Figure  6.  Example  computation  sequence 

>  (Computation  sequences.):  A  non-empty  (possibly  infinite)  sequence  of 
states  E  is  a  computation  sequence  if  each  adjacent  pair  of  states  is  a  single  step  - 

(Vi  <  IE  I  —  1)(EJ, i  y-*i  E|j+i).  We  write  £a  > — ♦  Cz  if  S  is  a  finite  computation 
sequence  of  length  n  +  1  such  that  Ejo  =  Ca  and  Ejn  =  Cz-  C.s(C)  is  the  longest 
computation  sequence  with  first  element  C-  By  the  functionality  of  single  step  there 
is  a  unique  (possibly  infinite)  such  sequence.  Cs(6),  the  computation  sequence  for 
the  dtree  S,  is  defined  as  Cs(top  v  6). 

To  illustrate  the  structure  and  properties  of  computation  we  carry  out  in 
detail  the  computation  described  by  the  form  if(Zerop(x),  c(x),  x)  closed  in  an 
environment  £  mapping  x  to  0  and  c  to  top.  The  computation  is  carried  out  in 
an  arbitrary  context  7.  The  resulting  computation  sequence,  Eex,  is  shown  in 
Figure  6.  The  rule  applied  for  each  step  is  given  in  the  column  at  the  right. 
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4.3.  Abbreviations  and  notation. 

We  close  this  section  with  some  syntactic  sugar.  We  use  two  kinds  of  def¬ 
initions  -  syntactic  abbreviations  (macros)  and  definitions  of  “constants”.  The 

sign  .=  is  used  for  syntactic  abbreviations  (macro  expansion)  and  the  sign  < _ 

is  used  f°r  constant  definitions.  Defining  a  constant  has  the  effect  of  restricting 
environments  to  map  the  constant  symbol  to  its  value. 

>  (application  macros):  Multi-ary  application  and  abstraction  can  be  ex¬ 
pressed  by  currying  or  by  using  sequences  and  let  abbreviates  lambda  application 
as  usual. 

Asi,  ...  ,sn.ip  :=  A  (s\,  ...  A(sn,<f) . . .), 

<Po(<Pi,  •••  ,<fn)  :=  app(  ...  app^o,^),  ...  <pn), 

[v?i,  •••  ,<Pn]  :=  cart(<(p1,cart(  ...  ,9?n)), 

A[si,52,  ...  ,sn]<^>  :=  Asi.((Asi.A[s2,  ...  ,5n]v?)(fst(s!), rst(si))),  and 
let{6-<-  <£>}<£body  :=  (A&.<^body)(<^). 

where  6  is- a  symbol  or  a  sequence  of  symbols. 

We  define  the  constants  I  (the  identity  pfn),  B  (the  composition  pfn),  and  Rec 
(the  recursion  pfn)  as  follows. 

>  I  *—  Ax.x 

>  B  <—  A f,g,x.f(g(x)) 

>  Rec  <-  \g.\et{h  +  \h.Ax.g(h(h),x)}h(h) 

We  often  use  infix  notation  for  “binary”  pfns.  For  example  p0 oPl  is  the  composition 
B(Po,Pi) 

Recursive  definitions  are  represented  using  the  recursion  pfn.  A  recursion 
equation  of  the  form 

ip 

where  6,-  is  a  symbol  or  a  sequence  of  symbols,  is  an  abbreviation  of 


For  example 

>  Bot  Ax.Bot(x) 


/  Rec(\f.\bu...,bn.f). 
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defines  Bot  to  be  Rec(A/.Ax./(x))  (=  Rec(ABot.Ax.Bot(x))).  Thus  Bot  is  the 
totally  undefined  (bottom)  pfn.3 

>  (boolean  macros):  The  boolean  operations  and,  or,  and  not  are  defined  using 
if  following  the  Lisp  tradition.  Here  T  is  any  expression  with  non-empty  value  - 
for  example  I. 

^rhs)  ‘=  if(<^lhs,T,if(<^rh8,T,  mt)) 
and(y>ihs,Y?rhs)  :=  i%ih9,i%,rhs,T,  mt),  mt) 
not(</>)  :=  i%,mt,T) 

4.4.  Operational  relations 

We  call  properties  of  pfns  that  depend  only  on  their  “black  box”  behavior  ex- 
tensional  properties.  Such  properties  do  not  depend  on  the  computation  described 
but  only  on  the  results  of  application.  Many  of  the  properties  we  wish  to  prove 
about  programs  axe  extensional  properties.  For  example 

•  Tpc,  and  Tps  compute  the  same  function  as  Tp. 

■  C32  converts  a  sequence  of  characters  segmented  as  strings  of  length  three 
into  the  same  sequence  of  characters  segmented  as  strings  of  length  two. 

■  Sieve  generates  the  sequence  of  all  prime  numbers  in  increasing  order 

The  operational  approximation  and  equivalence  relations  on  dtrees  and  values 
formalize  the  notion  of  “same  black  box  behavior”.  The  basic  idea  is  that  two  ob¬ 
jects  are  equivalent  if  they  can  not  be  distinguished  by  any  computational  context 
(continuation).  Operational  equivalence  in  "Rum  is  defined  in  terms  of  the  abstract 
•machine  described  in  §4.  It  is  an  adaptation  of  [Plotkin  1975],  which  is  in  turn 
an  adaptation  of  the  notion  of  extensional  equivalence  [Morris  1968].  Operational 
approximation  and  equivalence  axe  preserved  by  substitution  and  abstraction  and 
thus  provide  a  good  basis  for  equational  reasoning.  For  most  pfns,  the  intended 
domain  of  application  is  some  subset  U  of  V*  and  we  are  really  interested  in  prov¬ 
ing  statements  of  the  form  “for  u  ranging  over  U  . . .  u  . . .  ” .  For  this  reason,  we 
also  define  the  operational  membership  relation  on  dtrees  and  subsets  of  values. 
Operational  membership  in  some  set  of  values  expresses  the  fact  that  a  dtree  can 
be  treated  as  if  it  were  a  value  in  that  set.4 


3  We  consider  the  case  of  a  pfn  defined  by  a  single  equation.  The  multiple  recursion  case 
is  similar,  just  messier. 

4  The  traditional  formulation  of  operational  equivalence  (cf.  [Plotkin  1975])  is  between 
forms  (expressions)  rather  than  dtrees  (closures).  In  the  appendix  we  show  that  are 
formulation  when  extended  to  forms  is  equivalent  to  the  standard  formulation. 
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We  begin  by  defining  the  trivial  approximation  relation  C0  on  values  which 
relates  values  of  the  same  length  whose  corresponding  elements  are  either  equal 
data  elements  or  both  operations  (but  not  necessarily  equal).  This  is  our  version 
of  indistinpishable.  Two  states  axe  trivially  approximate  if  the  first  steps  to  a 
value  implies  that  both  step  to  related  values. 

o  (Trivial  approximation): 

Vo  &)Vi  =  I  t>o  I  =  lull  A  (Vi  <  lvol)(voi<  €  D  V  VjI,- €  D  =»  v0,U  =  t>iJ.<) 
Co  Eo  Ci  =  (Vi>o)(Co  >-+  top  a  u0  =*  (3ui)(u0  C0  vi  A  (i  M  top  a  Vl )) 

Operational  approximation  C  is  defined  in  terms  of  trivial  approximation  by  saying 
that  two  dtrees  or  values  are  operationally  approximate  just  if  for  any  continua¬ 
tion  the  corresponding  states  are  trivially  approximate.  Operational  equivalence 
(=)  is  the  intersection  of  operational  approximation  with  its  inverse.  Operational 

membership  €  in  a  set  of  values  means  operational  equivalence  to  a  value  in  that 
set. 

>  (Operational  relations): 

soQ6i  =  (V7X7  ^o&7’  £1) 
v0  c  v1  =  (V7X7  A  u0  C0  7  A  Vl) 

=  X1  =  Xo  C  xi  A  Xi  E  Xo)  ;;  x  a  dtree  or  value 

v  €  U)(v  =  u)  ;;  U  a  subset  of  V* 

The  operational  relations  are  extended  to  relate  dtrees  and  values  by  defining 
6  Rv  ft  6  R  (x  :  x  +  v)  for  R  one  of  C,£  and  6  €  U  =  (3u  €  U)(S  5£  u)  for  U  a 

subset  of  V*.  Operational  membership  in  the  set  V*  expresses  definedness  in  the 
strong  sense  that  a  value  is  returned  to  any  calling  context. 

Some  key  properties  of  operational  approximation  and  equivalence  are  stated 
below.  These  are  all  the  properties  that  are  needed  to  develop  our  first-order 
theory.  Proofs  can  be  found  in  the  appendix. 

Theorem  (Pre-order  and  equivalence):  C  and  £  are  reflexive  transitive 

relations  and  =  is  symmetric  (hence  indeed  an  equivalence). 

Theorem  (Pointwise):  Approximate  values  are  pointwise  approximate. 
u0  Cu!  =>  |v0l  =  1^1  A  (Vi  <  lw0l)(i;oii  CvU<) 
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Corollary  (Pointwise):  Data  values  axe  approximate  only  if  equal. 
do  Q  di  &  do  =  d\ 

Theorem  (Computational  facts): 

(i)  Co  > — *  Ci  Co  Eo  Cl  A  Ci  Eo  Co 

(ii)  Co  >— ♦  top  a  v0  A  Ci  >— ♦  top  a  v\  =$■  Co  Eo  Ci  t>o  Eo  «i 

To  formalize  the  notion  of  substitution  into  semantic  (dtrees,  values,  continua¬ 
tions,  and  states)  entities  we  consider  entities  with  (zero  or  more)  holes  for  dtrees, 
continuations,  or  values.  We  will  only  need  to  consider  entities  with  a  single  sort 
of  hole.  Such  entities  axe  built  in  the  same  way  as  ordinary  entities  except  that 
we  add  a  clause  asserting  that  holes  of  a  given  sort  are  objects  of  that  sort,  then 
x[6]  is  the  result  of  filling  the  hole  with  S.  Similarly  for  other  sorts  of  holes. 

Theorem  (Substitution):  For  x  a  dtree  or  value 

(subst.c)  70  E  7i  .=>  x[7ol  E  xItiJ 
(subst.dt)  60  E  Si  =►  xIM  E  xl<$il 
(subst.v)  v0  E  vi  =►  xM  E  xbil 

Corollary  (subst.env): 

(Vs  €  Frees(<f)U0(s)  C  &(*))  =►  (9  :  &}  E  (<?  :  6) 

For  full  generality  we  consider  dtrees  as  being  generated  by  constructors  analogous 
to  forms.  Thus  dtree  holes  can  occupy  the  position  of  a  free  variable  in  a  form. 
This  leads  to  the  following  corollary. 

Corollary  (subst.exp):  If  S0  =  (v?o  =C)  E  £1  =  (^i  :£)  and  6[  J  =  (v?{x/[  J}  :£) 
then 

<$IM  =  (</?{x/v?o)  :  0  E  6|[£i]  =  (<p{x/<pi)  :  £). 

Theorem  (Extensionality): 

(ext. op)  ‘Oq  E  <=>  (Vv)(t?0(v)  E  tii(v)) 

(ext.co)  70  E  7i  <=►  (Vv)(7o  a  v  E  7i  A  v) 

where  by  abuse  of  notation  we  write  d(v)  for  (app(/,  x)  :  /  -<- 19,  x  -e  v),  etc. 
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The  recursion  theorem  says  that  the  recursion  pfn  Rec  computes  the  least 
nxedpomt  of  pfnls  —  closures  of  forms  Xf.Xx.ip. 

Theorem  (Recursion):  Let  t?  be  a  closure  of  then  the  recursion  op¬ 

erator  Rec  computes  the  least  fixed-point  of  t?  with  respect  to  the  operational 
approximation  ordering. 

(fix)  Rec(tf)  £  tf(Rec(0)) 

(min)  T?(tf0)  E  t?o  =►  Rec(tf)  C  t?0 


A 
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5.  Towards  a  theory  of  function  and  control  abstractions 

The  operational  approximation  and  equivalence  allow  one  to  forget  the  details 
of  how  a  computation  is  carried  out,  but  one  must  still  use  dtrees  and  states  as  well 
as  values  in  reasoning  about  properties  of  pfns.  We  would  like  to  work  only  with 
values.  To  do  this  we  define  a  language  for  expressing  extensional  properties  of 
elements  of  the  computation  domain.  In  this  language  forms  play  the  role  of  terms 
and  atomic  formulas  are  based  on  the  operational  approximation  and  membership 
relations.  The  semantics  of  the  language  is  based  on  notions  of  satisfaction  and 
truth  in  the  Rum  model  using  environments  as  interpretations.  The  formal  theory 
is  parameterized  by  a  data  structure  35  just  as  the  underlying  intensions!  semantics 
is.  The  axioms  and  rules  fall  into  three  groups.  The  basic  logical  theory  includes 
the  first-order  logic  of  partial  terms,  laws  for  defining  and  proving  membership  in 
sets  of  values  (“in  laws”),  and  induction  schemes.  The  computational  laws  include 
the  theory  of  the  underlying  data  structure,  rules  for  reasoning  about  sequences, 
and  rules  simulating  reduction  steps.  The  final  group  of  laws  concern  extensionality 
and  the  recursion  theorem.  We  derive  some  additional  laws  to  illustrate  the  use 
of  the  basic  laws  and  to  develop  tools  for  proving  properties  of  particular  pfns. 

5.1.  The  language  and  its  semantics 

We  now  develop  a  language  and  theory  for  expressing  and  proving  extensional 
properties  of  elements  of  the  computation  domain. 

>  (Terms):  The  terms  of  the  language  are  just  forms  where  we  partition  symbols 
into  variables  and  constants.  For  variable  symbols  we  will  use  italic  identifiers  such 
as  x,  /,  out,  etc.  For  constant  symbols  we  will  use  identifiers  in  ThisFont.  The 
constant  symbols  will  be  used  to  give  names  to  data  elements,  data  operations, 
pfns  and  other  defined  constants  and  will  generally  depend  on  the  particular  choice 
of  data  structure  We  will  not  distinguish  between  constant  symbols  and  the 
constants  they  denote.  For  example  in  the  case  of  S-expressions  the  symbol  PairMk 
is  a  constant  symbol  denoting  the  S-expression  operation  PairMk.  In  all  cases  Rec 
is  a  constant  symbol  denoting  the  recursion  pfn  Rec. 

>  (Atomic  formulae):  Atomic  formulae  are  <po  E  <Pi  and  tpo  €  U  for  each 
subset  U  of  V*.1  We  will  use  U ,  Uo,  . .  .as  metavariables  ranging  over  subsets  of 
V*. 

>  (Formulae):  Formulae  are  built  from  atomic  formulae  in  the  usual  way  using 

the  logical  connectives  and  quantifiers  (  A  ,  V).  The  free  and  bound  variables  of 

a  formula  are  determined  as  usual.  We  will  use  $0,  etc.  to  denote  formulae. 


1  In  practice  we  use  only  subsets  definable  by  simple  operations. 
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The  meaning  of  a  formula  is  defined  by  saying  when  it  is  true,  which  in  turn  is 
defined  in  terms  of  the  notion  of  satisfaction.  Intuitively  an  environment  £  satisfies 
a  formula  $  iff  the  closure  of  $  is  true  of  the  corresponding  dtrees.  In  a  statement 
of  the  form  f  f=  $  we  assume  that  the  domain  of  £  contains  the  free  variables  of 
and  that  constant  symbols  are  interpreted  by  their  defined  values.  The  satisfaction 
relation  is  defined  by  induction  on  the  construction  of  formulae.  The  key  is  for  the 
atomic  case.  The  remaining  cases  are  the  usual  (Tarskian)  definition. 

>  (Satisfaction): 

i  f=  <|0O  E  <fi  &  (<Po  '  0  £  (vi  :  0 
Z\=<p  eu  (<p  :  ()  eU 

f  f=  $0  A  (f  f=  $0  A  f  f= 

£  (=  --$o  &  h  $0) 
f  (=  (Vx)$  (Vi>)(f{x-M>}  (=  $) 


>  (Truth):  A  formula  is  true  if  all  environments  (that  map  constant  symbols  axe 
mapped  to  their  defined  values)  satisfy  it. 

h  $  (V|)(f  [=  $) 

We  will  generally  omit  the  [=  sign  and  simply  write  $  to  assert  that  $  is  true. 

^  (Abbreviations):  We  will  treat  — >  and  the  logical  connectives  ( V ,  ,  •o 

,  3)  as  syntactic  abbreviations  in  the  usual  manner.  Thus  we  have 

<Po  E  V?1  :=  E  <po 

<p0  =  tpx  :=  v?0  E  <^1  A  9?!  C  <p0 
V  :=  -’(-'$0  A  ->$i) 

$o  =*  $i  :=  ~’$o  V 

$o  ^  :=  =*•  A  =*>  $0 

(3x)$  :=  -’(Vx)(->$0) 

We  often  write  formulas  usjng  bounded  quantifiers.  This  is  an  abbreviation  in  the 
usual  manner.  Thus  (Vu  €  U)§  abbreviates  (Vu)(u  €  U  =»  $)  and  (3u  €  U)$ 
abbreviates  (3u)(u  €  U  A  $). 
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t>  (Sorts):  A  sort  is  a  non-empty  subset  of  V*,2  Some  examples  are  V*,  V,  O, 
P,  and  Co.  If  U  is  a  sort  we  may  declare  (locally)  that  some  variable  u  ranges  over 
U  in  expressing  properties  and  giving  proofs.  Thus  we  may  assert  “for  u  ranging 
over  U  we  have  This  is  equivalent  to  the  assertion  “u  e  U  =>  $(u)”.  For 
example  working  in  the  S-expression  context  if  we  specify  2  ranges  over  integers 
and  c  ranges  over  continuations  then  Cons[z,  c(y)]  =  c(y)  is  equivalent  to 

2  €  Dim  A  c€  Co  Cons[z,c(y)]  =  c(y) 


and  means  that 


{2  -e  t,  c  -e  7,  y  -e  v}  |=  Cons[2,  c(y)]  £  c(y) 

for  all  integers  i,  continuations  7  and  values  v. 

A  variable  is  assumed  to  range  over  V*  unless  otherwise  declared.  We  may 
write  (Vx  €  V*)  to  emphasize  that  x  is  required  to  range  over  all  values.  The 
sort  of  a  variable  occurring  bound  in  a  form  has  no  formal  significance.  Sorted 
variables  are  used  in  such  contexts  just  to  indicate  the  intended  range. 

5.2.  The  basic  theory 

We  observe  two  conventions  in  presenting  the  laws  of  our  theory:  free  variables 
are  implicitly  universally  quantified;  and  if  metavariables  ranging  over  forms  occur 
m  a  law  then  it  is  a  schema  representing  a  family  of  laws  one  for  each  assignment 

of  forms  to  the  form  variables  <^0, -  We  use  the  sign  ■  to  indicate  axioms 

and  rules  of  our  theory.  The  fact  that  they  are  true  according  to  our  definition  of 
satisfaction  means  that  any  derived  consequences  will  also  be  true  in  our  model 
(or  any  other  model  of  the  axioms  and  rules). 

5. 2*1.  Logic  of  partial  terms  and  approximation 

It  is  clear  from  the  definitions  of  truth  in  Ihim  that  we  have  ordinary  classical 
truth  relative  to  the  atomic  propositions  about  operational  approximation  and 
membership.  The  only  trick  is  that  we  must  account  for  the  fact  that  for  a  given 
interpretation  of  free  variables  a  form  may  not  have  a  well  defined  denotation  -  the 
computation  described  may  be  context-dependent  or  may  diverge.  Thus  the  logic 
is  a  classical  logic  of  partial  terms.  This  means  that  eliminating  (instantiating) 
universal  quantifiers  must  be  restricted  to  terms  that  are  operationally  equivalent 
to  values.  The  point  is  that  in  order  to  permit  instantiation  of  a  universal  variable 


2  N°n-emptyneSS  is  needed  to  preserve  the  classical  interpretation  of  quantifiers  rela¬ 
tivized  to  sorts.  See  for  example  [Goguen  and  Meseguer  1984]  for  discussion  of  problems 
a  arise  when  variables  are  allowed  to  range  over  empty  domains. 
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by  9  we  must  insure  that  ip  is  operationally  equivalent  to  some  value.  This  is 
guaranteed  by  operational  membership  in  some  set.  From  (forall.elim)  and  the 
fact  that  operational  membership  in  a  set  implies  operational  membership  in  V* 
we  can  derive  the  instantiation  rule  for  restricted  quantification  and  the  rule  for 
existential  introduction. 

■(Quantifier  laws) 

(forall.elim)  (Vx)$  A  <p  £  V*  =»  §{x/p) 

(forall.intro)  $  =»  (Vx)$  ;;  if  x  does  not  occur  free  in  any  implicit  assumptions 


(inst)  (Vu  €  U)$  A  <peU  =>  ${u/y>} 

(exist. intro)  €  V*  A  ${x/v?}  =j»  (3x)$ 

The  fact  that  operational  approximation  is  a  partial  order  is  expressed  by  the 
reflexivity  and  transitivity  laws. 

■(Partial  order) 

(refl)  p  C  <p 

(tran)  <po  C  <p1  A  C  ^  C <p2 

(refl)  and  (tran)  follow  from  the  corresponding  facts  for  dtrees. 

Substitution  of  approximate  forms  for  a  variable  in  a  third  form  gives  approx¬ 
imate  forms  and  substitution  of  equivalent  forms  for  a  variable  in  a  formula  gives 
an  equivalent  formula. 

■(Substitution) 

(subst.term)  <p0  C  (p1  =>  <p{x/<p0}  C  v?{xM} 

(subst.opin)  ip0  =  y?i  A  <p0  €  U  =*  €  U 

(subst.wff)  <^o  =  ^i  =>  ${x/v?0}  $(iM} 

(subst.term),  and  (subst.opin)  following  from  the  corresponding  properties  of 
dtrees.  (subst.wff)  can  be  derived  from  (subst.term)  and  (subst.opin)  using 
the  basic  logic  of  partial  terms. 

In  carrying  out  proofs,  we  will  use  the  basic  logic  of  partial  terms  and  opera¬ 
tional  approximation  without  explicit  mention. 


§5 


Towards  a  theory  of  function  and  control  abstractions 


41 


5.2.2.  In  laws 

In  order  to  make  reasoning  in  our  language  completely  syntactic  we  need  to 
provide  a  language  for  defining  sets  of  values  and  rules  for  reasoning  about  such 
sets.  As  a  step  in  this  direction  we  will  specify  a  collection  of  basic  sets  of  values 
and  some  operations  for  generating  additional  sets.  We  will  give  some  rules  for 
proving  operational  membership  based  on  the  constructions  of  forms  and  sets. 
These  rules  are  analogous  to  rules  for  type  assignment  in  a  formal  type  system. 

The  basic  sets  of  values  include  0  (the  empty  set),  M<  (the  singleton  set  con¬ 
taining  only  the  empty  sequence),  D,  Od,  P,  and  Co.  There  may  be  additional 
basic  subsets  of  D  depending  on  the  given  data  structure.  For  example  in  the 
case  of  S-expressions  we  will  also  have  Dmti,  Dint,  Dstr,  and  Dpair  as  basic  sets. 
From  the  basic  sets  we  can  obtain  additional  sets  by  operations  including  finite  set 
formation  {ui,. . .  ,vn},  union  (U),  intersection  (D),  formation  of  finite  sequences 
(*),  function  space  formation  ([  -4  ]),  concatenation  ([ ,  ]),  and  selection  (1st,  rst). 
Finite  set  formation,  union,  and  intersection  axe  the  usual  set-theoretic  operations. 
Formation  of  finite  sequences  is  described  in  §3.  Concatenation  and  selection  are 
the  lifting  of  sequence  operations  to  sets  of  sequences.  Thus 

u  €  p70,ffi]  <=*  (3uo  €  Uo,ui  €  U\)(u  =  [uo,ui]) 

u  €  1st  ( U )  (3u'  €  U)(u  =  1st  (u')) 

u  €  r8t  (U)  &  (3 u'  €  U)(u  =  r9t  ( u ')) 

Function  space  formation  selects  the  pfhs  that  compute  total  functions  from  the 
domain  component  to  the  range  component. 

p  €  [Uo  — ►  U\]  (Vu0  €  U0)(3ui  e  Ui)p(u0)  =  ui 

We  write  [U0, . . . ,  Un  -*  U]  for  [U0  . . .  -♦  [Un  -*  U) . . .]  and  U0  ©  Z7X  for  U0  U  Ui 
when  UqC\U\  =0  (disjoint  union). 

Some  examples  are 

0  =  U 

Mt  =  {}*  =  {□} 

O  =  Od  ®  p  0  Co 
V  =  D  ©  <0 
V+  =  [V,  V*] 

V*  =  M<  ©  V+ 


A 
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The  following  are  some  basic  laws  for  operational  membership.  They  will  be 
referred  to  collectively  as  “in  laws”.  The  validity  of  these  laws  follows  easily  from 
the  definitions. 

■(Logical  in  laws) 

0 

x  €  U0  A  U0  C  Ui  =*►  x  €  Ui 

x  €  (UoVU!)  =>  x  eu0  v  x  eUi 

x  €  U0  A  x  €  Ui  =>  x  €  (U0  D  Ux) 

■(In  laws  for  forms) 

x  €  V*  ;;  x  any  variable  symbol 
x  6  {x} 

A x.if  €  P 

o  €  [D  — *  D  ]  ;;  o  a  data  operation  symbol 

(Vx  €  U0)(v  6  lh)  =*  \x.tp  6  [U0  -► 
f  €  [U0  -  Ui)  A  x  €  U0  =►  /(x)  €  Ui 
x  €  M<  =>  x  =  mt 

x0  €  U0  A  xi  €  Ui  =*•  [x0,xi]  €  [17o,^i] 
x  €  U  =$■  fst(x)  €  l#t  ( U )  A  rst(x)  €  r#t  (17) 
top  €  Co 

ceCo=^co/€Co 

(Vc  €  Co)(y?  £  U)  =$>  note(c)v?  €  U 

5.2.3.  Some  proof  schemes 

Standard  techniques  for  proof  include  arguments  by  cases  and  induction.  Such 
arguments  are  valid  in  'Rum.  Argument  by  value  cases  corresponds  to  computation 
using  if  and  is  often  used  to  prove  properties  involving  conditional  expressions. 

■(Vcases)  Since  V*  =  Mi  ®  V+  to  prove  that  $  is  true  for  all  x  we  need  only 

prove  $  holds  in  the  case  x  £  mt  and  in  the  case  that  x  €  V+.  Formally  we  have 
the  scheme 

(Vx)(x  SMt=>$Ax€V+  =;>$)=>  (Vx)* 
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A  general  principle  of  induction  is  induction  on  a  well-founded  ordering.  A 
special  case  is  rank  induction. 

■(Well-founded  induction)  Let  U  be  a  sort  with  well-founded  order  -<.  For 
example  take  U  to  be  N  and  -<  to  be  <  or  take  U  to  be  the  S-expressions  and  -< 
to  be  the  sub-expression  relation.  We  may  prove  that  $(x)  holds  for  x  €  U  by 
proving  that  for  any  x  €  U,  $(x)  follows  from  the  assumption  that  $(y)  holds  for 
all  y  smaller  than  x.  This  is  formalized  by  the  the  following  induction  scheme 

(Vx  €  tf)((Vy  €  U)(y  -<  x  =►  *(y))  =»  $(x))  =»  (Vx  €  U)($(x)) 

For  example  induction  on  <  is  the  usual  course-of- values  induction  on  the  natural 
numbers  and  induction  on  the  subexpression  ordering  on  S-expressions  is  the  usual 
S-expression  induction. 

■(Rank  induction)  The  length  of  a  sequence  gives  rise  to  a  well-founded  ordering 
on  a  set  of  sequences  and  the  size  of  an  S-expression  gives  rise  to  a  well-founded 
ordering  on  a  set  of  S-expressions.  More  generally,  let  U  be  a  sort  and  let  p  be  a 
function  from  U  to  N.  p  is  called  a  rank  function  and  for  u  €  U,  p(u)  is  called  the 
rank  of  u.  The  ordering  -<p  on  U  defined  by 

y<px<&  p(y)  <  p(x) 

is  a  well-founded  ordering.  Induction  on  rank  is  formalized  by  the  rank  induction 
scheme 

(Vx  €  U)((Vy  €  U)(p(y)  <  p(x)  ^  $(y))  =*•  $(x))  =$■  (Vx  €  U)($(x)) 

5.3.  Computational  laws 

The  computational  laws  axe  based  on  the  computation  laws  for  dtrees.  The 
intuition  underlying  the  computational  laws  is  that  computation  states  and  steps 
can  be  simulated  using  forms  and  operational  equivalence.  Continuations  are 
represented  by  forms  satisfying  ip  €  Co  and  dtrees  are  represented  by  arbitrary 
forms.  In  the  step  rules  meta  variables  ranging  over  continuations  (resp.  values) 
are  replaced  by  variables  ranging  over  continuations  (resp.  values).  Begin  and 
return  state  formation  is  represented  by  application.  Using  the  computation  laws, 
computations  steps  are  simulated  by  (provable)  operational  equivalence.  Thus 
if  9?  is  closed  and  returns  a  value  v  in  the  empty  context  then  we  can  prove 
top(^)  =  top(i^v)  where  is  the  syntactic  representation  of  v.  This  is  made  more 
precise  in  the  appendix. 

The  computation  laws  fall  into  four  groups.  The  first  group  concerns  general 
laws  for  sequence  operations.  These  are  just  the  equational  laws  for  a  sequence 
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structure  with  the  empty  sequence,  concatenation,  and  projection  operations  (see 
§3).  The  second  group  concerns  embedding  the  theory  of  the  underlying  data 
structure.  The  third  group  concerns  equations  between  forms  representing  states 
that  correspond  to  steps  building  up,  capturing,  or  discarding  computation  con¬ 
text.  The  fourth  group  gives  basic  laws  for  application  and  conditional  forms. 

■(Sequence  laws)  For  a  ranging  over  singleton  values  (V) 

fst[a,  x]  =  a 

rst[a,  x]  =  x 

fst(mt)  =  rst(mt)  =  mt 

X  =  [fst(x),  rst(x)] 

[mt,  x]  =  x  =  [x,  mt] 

[[•c)  y\iz\  —  [^[y^]] 

The  theory  of  the  underlying  data  structure  is  embedded  by  defining  a  set 
of  forms  called  data  forms  that  are  forms  syntactically  guaranteed  to  denote  se¬ 
quences  from  the  data  domain.  We  then  interpret  £  restricted  data  forms  as  = 
and  €  restricted  to  data  forms  and  subsets  of  D*  as  €. 

>  (Data  forms):  Let  A"  be  a  set  of  variable  symbols.  The  set  of  data  forms  over 
X  is  the  least  set  containing  A,  the  data  constants,  and  mt,  and  such  that  if  p, 
Pi,p2  are  data  forms  over  A  and  o  is  a  data  operation  then  o(<p),  [<pi,p2\,  fst(v?)’ 
and  rst(<^>)  are  data  forms  over  A. 

■(dform)  For  A  ranging  over  data  sequences,  p tP]  data  forms  over  A  and  A  a 
sort  contained  in  D* 

•  (data)  <p  €  D* 

*(eq)  If  <po  =  Pi  holds  in  2)  then  <p0  =■  p\. 

•  (in)  If  p  €  A  holds  in  2)  then  <p  £  A. 

Notes 


The  introduction  of  the  notion  of  data  form  allows  us  to  view  the  language  of 
Ihim  as  an  extension  of  the  usual  language  associated  with  such  a  data  structure. 
Thus  we  have  reduced  reasoning  about  data  forms  to  reasoning  in  the  structure 


We  can  extend  the  class  of  data  forms  by  adding  constants  defined  by  pfns 
that  compute  functions  on  the  data  domain  to  the  list  of  data  operations.  This 
corresponds  to  enlarging  the  data  structure  by  adding  the  defined  data  operations. 
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An  alternative  method  of  embedding  the  theory  of  the  underlying  data  struc¬ 
ture  is  to  assume  that  it  is  specified  by  a  collection  of  axioms  (and  constraints  such 
as  initiality)  and  include  this  specification  in  the  laws  of  7 'him.  Some  care  needs 
to  be  take  that  the  intended  interpretation  of  the  specification  is  not  changed  in 
the  process. 

Endnote. 

■(Context  sensitive  laws)  For  c,  c'  ranging  over  continuations 


(app) 

c(<fo(Vi ))  =  (c  0  appi((/?i ))(vo ) 

(appi) 

(c  o  appi(v?i))(x)  =  (c  o  appc(x))(<^i) 

(*) 

c(i%0,^i,V>2»  =  (c  o  so2))(v,o) 

(cart) 

c(cart(v?0,</?i)  =  (c  o  carti(^i))(y0) 

(carti) 

(cocarti(^x))(x)  =  (c  o  cartc(x))(^i) 

(fst)  ' 

c(fst(v?o)  =  (c  o  fstc)((^0 ) 

(rst) 

c(rst(<pQ)  £  (c  o  rstc)(v?0) 

(note) 

c(note(c)<,p)  =  c(ip) 

(sw) 

c(c'(x))  ^  c'(x) 

■(lam  and  if  reductions) 

(letv) 

let{x  -+■  x}ip  =  (Ax.t^)(x)  = 

(ifi  .nmt) 

x  €  V+  =»  if(x,  ,  <^2)  =  <pi 

(ifi.mt) 

if(mt,v?i,^2)  =  <p2 

5.3.1. 

Extensionality  and  recursion 

Our  final  set  of  basic  laws  expresses  the  essence  of  operational  approximation 
and  equivalence,  (op. ext)  and  (note.abs)  follow  from  the  corresponding  dtree 
properties.  Together  with  the  substitution  and  order  laws  they  say  that  opera¬ 
tional  approximation  and  equivalence  are  compatible  relations  (are  preserved  by 
form  constructions)  [Barendregt  1981;  p.  50].  (c.ext)  is  just  the  definition  of 
approximation  on  dtrees. 

■(  Ext  ensionality ) 

(op. ext)  f  €0  A  g  e®  A  (Vx)(/(x)  C  g(x))  =>  f  C  g 

(note.abs)  (Vc  €  Co)(</?o  E  t^)  =*.  note(c)v?o  E  note(c)<^i 

(c.ext)  (Vc  €  Co)(c(<,5a)  C  c(t,5b))  =*•  E  ‘r’b  ;;  c  not  free  in  <?b 
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The  recursion  theorem  says  that  the  recursion  pfn  Rec  computes  the  least 

fixedpoint  of  pfhs  of  the  form  Xf.Xx.ip.  It  follows  from  the  corresponding  theorem 
for  pfns. 

■(Recursion  theorem) 

(rec.df)  Rec(x)  €  P 

(rec.fix)  F  =  Xf.Xx.ip  A  /  =  Rec(F)  =*  /(*)  s  <p 

(rec. min)  F  2  Xf.Xx.ip  A  f  =  Rec  (F)  A  F{g)  C  g  =*  /C? 


Note,  (rec.fix)  says  that  pfns  defined  by  recursion  satisfy  the  equation  obtained 
by  replacing  <-  by  £.  The  converse  of  (rec.fix)  is  not  necessarily  true  since 
recursion  equations  contain  additional  information  specifying  how  computations 
axe  to  be  earned  out.  For  example  f{x)  *  /(x)  is  trivially  true  but  f(x )  <-  f(x) 
imphes  that  /  is  the  everywhere  undefined  pfn.  The  recursion  theorem  extends 

!  nLi  t  6X6(1  P°mt  theorem  for  the  model  of  the  lambda  calculus  [Scott 

1976J  to  a  language  with  control  abstractions.  Endnote. 

5.4.  Some  simple  derived  laws 

To  illustrate  the  use  of  the  basic  laws  and  the  logic  of  partial  terms  we  will 
derive  some  simple  (and  useful)  consequences.  We  begin  with  two  simple  exercises. 

Exercise.  Prove  the  following  corollary  to  the  (letv)  law. 

Vo  €  V*  =*►  let{x  <po}ip  =  ip{x/ip0}. 


Exercise.  Prove  (rec.df)  and  (rec.fix)  within  the  first-order  theory.  Hint  use 
the  basic  laws  for  computation,  membership,  and  the  extensionality  law. 

Theorem  (nmt):  a  €  V  =*>  a  ^  mt 

Proof  (nmt):  By  the  intersection  and  emptyset  inlaws  we  have 


a€V  A  a  =  mt  =>  a  €  V  Pi  M<  =  0 


Dnmt 

Value  forms  give  simple  syntactic  criteria  for  forms  ipv  guaranteed  to  satisfy 
£  V  . 


c  (Vform):  Value  forms  are  the  least  set  of  forms  containing  the  variable  and 

fsX  T  r.tfmbt°1S' r,;/°P’  ‘he  lambda-forms  (-'*■»’),  and  containing  Vv,2], 
(v>v),  (yv),andt  f(v>.,tPv,i,v>v,2).  whenever  9,,  *>.,1,  and  v>v,2  are  value  forms. 
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Theorem  (vform):  If  v?v  is  a  value  form  then  ipv  €  V*. 

Proof  (vform):  by  induction  on  the  generation  of  value  forms  and  the  in  laws, 
^vform 

We  will  use  (vform)  without  explicit  mention  to  instantiate  (unrestricted)  uni¬ 
versal  variables. 

Direct  application  of  (letv)  requires  that  the  argument  expression  be  opera¬ 
tionally  equivalent  to  a  value.  It  is  also  valid  when  the  let  variable  occurs  in  an 
evaluated  position  in  the  body.  This  will  be  made  precise  later.  Here  we  prove  a 

special  case  in  order  to  illustrate  the  use  of  the  computation  and  extensionality 
laws. 

Theorem  (idcnv):  let{x-<-  <p}x*v 

Proof  (idcnv):  Note  that  let{x  <p}x  =  (\x.x)(<p). 

(i)  c((Ax.ar)(v?))  3  (c  o  appc(Ax.x))(^)  ;;  (app,appi) 

(ii)  (c  °  appc(Ax.x))(x)  =  c((Ax.x)(x))  ;;  (app,appi) 

(iii)  c((Ax.x)(x))  2  c(x)  ;;  (letv) 

(iv)  c  o  appc(Ax.x)  =  c  ;;  (op.ext)  and  (iii) 

(v)  c((Xx.x)(<p))  =  c(<p)  ;•  (i)  and  (iv) 

(vi)  (Xx.x)(if)  =  (p  ;;  (v)  and  (c.ext) 

As  advertised,  we  have  used  the  laws  for  instantiation  and  substitution  in  the 
above  proof  without  explicit  mention.  We  leave  it  as  an  exercise  for  the  reader  to 
fill  in  the  details.  Didcnv 

Another  let-law  is  the  let-permutation  rule.  This  rule  allows  nested  let  expres¬ 
sions  to  be  flattened. 

Theorem  (let.perm): 

let{x  let{y  —  let{y  -f-  ^>o}let{x  91  }<p 

where  y  is  not  free  in  <p. 

Proof  (let.perm):  Assume  y  is  not  free  in  <p.  Then  by  the  computation  laws 
(i)  c(iet{x  let{y  y’ol^i}^)  —  ((c  0  appc(Ax.<^>))  0  appc(A7/.(^1))((^0) 

(11)  c(let{y  <p0}let{x  =  (c  o  appc(Ay.let{x  ■+  9i}^))(v?o) 

(iii)  ((c  o  appc(Ax.<£>))  o  appc(Ay.<^))(y)  s  (c  0  appc(Ax.^))(sc1 ) 

-  (c  o  appc(Ay.let{x  -e  <pi}<p))(y) 
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and  by  (op.ext)  using  y  not  free  <p 

(iv)  (c  o  appc(Ax.<^>))  o  appc(Ay.^a  )Sco  appc(Ay.let{x  <px  }v) 
and  by  (iv) 


(v)  ((c  o  appc(Ax.9))  o  appc(Ay.v?i))(v?0)  2  (c  o  appc(Ay.let{x  + <pi}<p))(<p0) 
Hence  by  (i),(ii),(v)  and  (c.ext)  we  are  done.  Dje^  perm 

Proofs  of  the  remaining  theorems  can  be  found  in  the  appendix.  Using  (letv) 

(op.ext)  and  (rec.min)  (for  (bot))  we  have  the  following  standard  properties  of 
partial  functions. 


Theorem  (Laws  about  functions): 

(lam.abs)  (Vx  €  V)(Vo  2  <px)  *  Ax.^o  2  A x.^ 
(op.eta)  /  €  O  =>•  A z.f(z)  2  / 

(cmps.id)  /€0=*»|o/£/2/o| 

(cmps. assoc)  (/  o  g)  o  h  2  /  o  (y  o  h) 

(bot)  g  e  O  =>  Rec(A/.Ax./(x))  C  g 


Note.  In  'Ram  (op.ext)  is  stronger  than  (lam.abs)  since  the  computation  do- 
main  contains  operations  other  than  pfns  (namely  continuations  and  data  opera- 

,  J°nS ,.  ■‘hei‘e  8X6  alternative  formulations  in  which  only  pfns  occur  as  values  and 
this  distinction  goes  away,  (op.eta)  is  a  limited  form  of  the  eta-conversion  rule 
for  lambda  calculi.  This  is  because  in  the  pure  lambda  calculus  there  are  only 
functions  so  the  bounded  quantification  is  trivial.  When  there  are  objects  other 
tian  functions  then  (eta)  only  makes  sense  in  the  restricted  form.  Endnote. 

By  (vcases)  argmnents  using  (ifmt)  and  (ifnmt)  (and  also  (op.ext)  for 
(li.lam))  we  have  the  following  properties  of  if. 

Theorem  (If  laws): 


(if. sort)  <p0  g  U0  A  <px  €  Ux  =>  \f(z,<p0, <px)  eU0UUi 

(if.elim)  if(z,  ip,<p)  2  <p 

(if.perm)  if(x,  if(y,  <p&,  <ph),  if (y,  ipc,  <pd))  2  if(y,  if(x,  y>a,  <pc),  if(x,  <pb,  Vd)) 
(if.lam)  Ax.if(z,  <px ,  ip2)  —  if (z,  \x.<px ,  A x.tp2) 

(if.subst)  („  €  V+  =►  Vl  2  <pt)  A  („  2  mt  *  y>2  2  <*)  A  9  g  V* 

=►  «%.?i,V>2)  =  i%, 93,^4) 
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From  the  basic  computation  rules  for  cart,  fst,  rst  and  the  in  laws  we  have  the 
following. 

Theorem  (Cart  laws): 

(cart. assoc)  [[v>o,y>i] ,¥>2]  =  [v?o,  bi,  ¥>2]] 

(fst.rst)  x  €  V+  =>  fst[x,y]  =  fst(x)  A  rst[x,y]  =  [rst(x),y] 

Note  that  the  law  x  =  [fst(x),  rst(x)]  cannot  be  generalized  to  arbitrary  terms.  A 
counter  example  is  note(c)c.  This  is  because  c^co  carti(rst(x))  0  fstc. 

From  the  computation  rules  for  noting  and  switching  using  (c.ext)  we  have 
the  following. 

Theorem  (Note  laws): 

(note.triv)  note(c)y>  =  <p  ;;  c  not  free  in  <p 
(note.id)  note(c)c(y?)  =  <p  ;;  c  not  free  in 
(note.esc)  c  €  Co  =»  c  0  (Ax.note(c)(/?)  =  c  0  (A x.<p) 

(note.ren)  note(c)note(c')</?  =  note(c)9?{c'/c) 

■(Extending  laws  to  extended  syntax)  Laws  for  lambda  application  and 
let  generalize  in  a  straightforward  way  to  the  extended  syntax  for  currying  and 
splitting  sequence  arguments.  For  example 

(letv.cart)  ajgV  A...  Aan€V4-  (A[ai,...a„,y]v?)[ai,...an,y]  =  <? 

(letv. curry)  (A(n,  ...x„)<^)(xi,  ...x„)  =  <f 

The  scheme  for  cart  associativity  says  we  can  treat  cart  as  a  multi-ary  operation 
without  ambiguity. 

5.5.  Puzzling  with  current  puzzle. 

To  illustrate  some  of  the  power  and  also  weaknesses  of  our  theory  we  solve 
(formally)  a  puzzle  posed  in  [Queinnec  and  Seniak  1989].  call-cc  is  the  Scheme 
control  abstraction  primitive  and  can  be  represented  in  7 "him  by 

>  Cwcc  =  A/.note(c)/(c) 

The  puzzle  is:  what  is  the  meaning  of  the  following  two  Scheme  expressions? 
(i)  (call-cc  call-cc) 
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(ii)  ((call-cc  call-cc)  (call-cc  call-  cc)) 

Translated  into  Rum  we  ask  the  meaning  of  the  corresponding  Rum  expressions. 

(i)  Cwcc(Cwcc) 

(ii)  (Cwcc(Cwcc))(Cwcc(Cwcc)) 

The  solution  is  given  by  lemmas  (cwcc.2)  and  (cwcc.2.2)  below.  Lemma  (cwcc) 
is  the  analog  of  the  note  law. 

Lemma  (cwcc):  From  the  note  law  we  have  (for  c  ranging  over  continuations) 
c(Cwcc(/))  3  c(/(c)) 

Lemma  (cwcc.2):  Cwcc(Cwcc)  =  note(c)c 

Proof  (cwcc.2):  We  have  by  two  applications  of  (cwcc)  and  the  sw  law 

C(CWCC(CWCC))  =  c(CwCc(c))  ;;  by  (cwcc) 

—  c(c(c))  ;;  by  (cwcc) 

—  c(c)  ;;  by  the  SW  law 

=  c(note(c)c)  ;;  by  the  note  law 

Hence  by  extensionality  we  are  done. 

Lemma  (cwcc.2.2):  (Cwcc(Cwcc)(Cwcc(Cwcc)))  is  undefined  -  describes  an 
infinite  computation  in  every  context.  Formally  we  can  express  this  as 

(Cwcc(Cwcc)(Cwcc(Cwcc)))  f  V*. 

Proof  (cwcc.2.2):  This  will  be  an  informal  outline.  We  take  the  computation 
laws  seriously  as  reduction  rules  and  show  that  in  any  context  the  computation 
sequence  for  c(note(c)c)(note(c)c)  is  infinite  for  any  c.  Let  c0  =  c  o  appi(note(c)c)) 
and  cn+1  =  c  o  appc (c„)  Then 

(i)  c( note(c)c)( note(c)c)  xU  c0(c0)  and 

(ii)  cn(cn)  > — ♦  cn+1(cn+1)  for  any  n. 

Case  (i):  By  the  computation  rules  we  have 

c((note(c)c)(note(c)c))  (c  o  appi(note(c)c))(note(c)c) 

■+■  , 

W  (c  0  appi(note(c)c))(c  o  appi(note(c)c))  =  c0(c0) 
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Case  (ii):  By  induction  on  n  and  the  computation  rules  we  show  cn(/) 
co  (appc(/))(note(c)c).  For  n  =  0 

co(/)  =  (coappi(note(c)c))(/)  (c  o  appc(/))(note(c)c) 
and  for  n  >  0 

Cn+l(/)  >— ►  C(C„(/))  > - ►  Cn(/) 

>— ■+  c  o  appc(/)(note(c)c)  ;;  by  induction  hypothesis 

Now  it  follows  easily  that 


Cn(Cj») 


Cn+i(note(c)c) 


►  Cn+i(cn+i). 


^cwcc.2.2 

Note.  It  remains  an  open  question  how  to  axiomatize  computation  and  induction 
on  the  length  of  computation  so  that  arguments  like  the  above  can  be  carried  out 
within  the  formal  theory  rather  than  by  appeal  to  the  model.  Endnote. 

5.6.  Context  motion 

The  context  motion  theorem  gives  some  general  laws  for  moving  expressions 
across  a  special  class  of  contexts  we  call  evaluated  position  contexts.  The  notion 
of  evaluated  position  context  extends  the  notion  of  evaluation  context  (contin¬ 
uation)  by  looking  inside  lets  and  notes  (see  also  [Felleisen  and  Friedman  1986, 
Felleisen  1987]).  We  will  define  the  notion  of  evaluated  position  contexts,  state 
the  main  theorem  and  derive  some  useful  consequences  to  illustrate  application  of 
the  theorem. 

5.6.1.  Context  motion  theorem 

>  (epcx):  The  set  of  evaluated  position  contexts  and  the  variables  trapped  by 
an  evaluated  position  context  are  defined  in  Figure  7.  Evaluated  position  context 
is  the  least  set  closed  under  the  constructions  in  the  first  column  and  trap(C),  the 
variables  trapped  by  the  context  C  is  defined  in  the  second  column  by  induction 
on  context  construction.  C[(y?]  is  the  result  of  replacing  [  J  by  in  the  first  step  of 
the  construction  of  C .  Context  equality  is  modulo  alpha-conversion  as  usual  with 
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c 

trap(C ) 

[} 

0 

CoM 

trap(Co) 

<cx) 

trap(Ci) 

[Co,9i] 

trap(Co) 

trap(Ci) 

if(C'o,v’i»v?2) 

trap(Co) 

» r(*.Ci,Ca) 

trap(Ci)  U  trap(C2 ) 

fst(Co) 

trap(C0 ) 

rst(C'o) 

trap(Co) 

let{z  x}Co 

{z}  U  trap(Co ) 

note(c)C0 

{c}  U  trap(Co) 

Figure  7.  Evaluated  position  contexts 

the  restriction  that  a  bound  variable  with  a  hole  in  its  scope  cannot  be  renamed 
Note  that  Frees([x,  <p])  n  trap(C)  =  0  implies  that  C[<p\  =  C[x\{x/tp}. 

Theorem  (context  motion):  Let  C  be  an  evaluated  position  context  and  let 
c  range  over  continuations.  Assume  Freest,  x,  c,  Jb]  D  trap(C)  =  0  and  x,  k  are  not 
free  in  C.  Then 

(letx)  let{x  <p}C\x\  &  C[<p J 

(escape)  C{c(<p) ]  ^  c(v?) 

(let.dist)  C[let{x  -e  v’Jv’ol  =  let{x  + 

(if.dist)  C[rf(ip,<pU'p2)]2£H(<p,Cl<pi\,C[<p2]) 

(note.dist)  C[note(fc)^l  =  note(fc)let{fc  +  k  o  \x.C{x\}C[tp\ 

Proof  (context  motion):  The  proof  of  (letx)  is  a  straightforward  induction  on 
the  construction  of  evaluated  position  contexts,  (escape)  follows  from  (letx)  and 
the  special  case  of  escaping  from  the  argument  of  a  let  expression.  For  (let.dist) 
we  observe  that  let{x -e  =  (Ax.(/?)((^0)  and  thus  we  can  use  (letx)  followed 
by  (letv)  to  distribute  the  let.  (if.distrlet.dist, note.dist)  are  not  simple  appli¬ 
cations  of  (letx)  since  ¥>0,  V>\ ,  ¥J2  do  not  need  to  satisfy  the  restriction  placed  on  <p. 
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(if.dist,note.dist)  axe  proved  by  induction  on  the  number  of  trapped  variables  in 
C.  The  key  is  to  note  that  (by  induction  on  construction  of  C )  either  C  has  no 
trapped  variables  (is  a  pure  evaluation  context)  or  we  can  find  Co,  C\  such  that 
trap(Co)  =  0  and  C  =  Co[let{x u}CiJ  or  C  =  Co[[note(c)CiJ.  The  base  case 
is  proved  using  (letx)  and  the  special  cases  where  the  context  is  the  argument  of 
a  let.  The  induction  cases  are  proved  using  the  above  decomposition  of  contexts 
and  (note.ren,note.esc,note.if)  from  above,  ^context  motion 

5.6.2.  Consequences  of  the  context  motion  theorem 

Corollary  (defn.inst):  If  F  is  defined  by 

■^X®1 » •  •  •  i  »  •  •  •  »  ®n)  *  C|xiJ 

then 

F(xi  x„)  =  CM 

Proof  (defn.inst): 

P(xi , •  •  •  , , ^n)  =  l®t{x,'-^-^)i'1(xi,...,Xj,...,Xn)  ;;  (letx) 

—  let{xj  -<-¥>}Cfx,-]  ;;  (rec.flx) 

—  CM  ;;  (letx) 


*-^defn.inst 

Corollary 

(escape):  For  c 

ranging  over  continuations 

(esc.fun) 

(c(v?0))^i  =  c(<p0) 

;;C  = 

DM 

(esc.arg) 

z(z  1 ,  •  •  •  ,  Zj  — 1 ,  ci}p\) 

, . . . ,  </?n) 

-  cM 

ii  C  =  z(zi 

••t¥>n) 

(esc. cart) 

[zlt  •  •  •  Zj— 1,  c(<£>j),  .  . 

-M 

?;  C  —  [z\ , . . . ,  Zj 

•>¥>n] 

(esc. if) 

i^(c(v?o),VJi,V?2)  =  c 

■M 

;;  c  =  if([  ],^i, <f2) 

(esc.fst) 

fst(c(<^o))  £  c(v?o) 

;;C  = 

ftt([  1) 

(esc.rst) 

rst(c(<^o))  =  c(<p  o) 

;;C  = 

rst([  ]) 
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Corollary  (if.dist): 

(lf.if)  if(if(v’0,¥>l,V?2)»^a,V?b)  =  if(^0,if(^l,^a,¥,b),if(v?2>V:,a5  Vb)) 

;;  C  =  if([  ],v?a,¥>b) 

(lf.or)  'f(or((,oa,v?b),¥?i,92)  =  ifCv’a, V^i » ‘^(^b, ^1^2))  ;;  (if.if),  (if.eval) 

(if. fun)  (i%o,V?i,92)V  =  i%o,Vi(9?),V?2(<^))  ;;  C  =  [  ](*>) 

(if.arg)  2(21  ...ar>,if(^a,Vb,^c),.--Vi») 

=  ■  •  •  Zj,tp b,  •  .  •'  ,V?n),z(2i,.  .  .  ,Zj,if c,  . .  .  ,<^n)) 

;;  C  =  2(2i,...,2j_!,[  <pD) 

(if.  cart)  [zi , . . .  Zj,  if(v?a,  <^b,  <pc), 

-  '%a,  [*1 ,  •  .  •  Zj,  (fib,...,  ¥>n],  [21, . .  .  Zj,  <fc, . .  .  ,  pB]) 

n  C  —  [zj  ,  . .  . ,  Zj_i ,  [  ], ,  <fa] 

(if.let)  ^  €  V*  **>  let{a:  -<-9?}if(<l(?o,v?i,V?2)  =  i%0,  let{*  +  <p}<pu  let{ar  -e  <f}f2) 

;>  C  =  let{a;  y>}[  ],  x  not  free  in  <po 

(if.note)  note(c)if(<^0,^?j,^2)  —  if (<fo ,  note(c)^i,  note(c)y>2  )y? 

n  C  =  note(c)[  ],  c  not  free  in  tpo 
Corollary  (let.dist): 

(let.app)  2(let{x-<-<£>o}<^i)  —  let{x -<-y>0}z(y>i)  ••  C  =  z([  ]) 

(let. note)  let{x  v?}note(c)v?a  =  note(c)let{x  <f}f1  ;;  c  =  note(c)[  ] 

;;  c  not  free  in  <p 

Corollary  (note.dist): 

(note.fun)  (note(c)y>0Vi  =  note(c)let{c  +  co  appifaj)}^^) 

;;  C  =  [  J(v?i) 

(note.arg)  2(note(c)<^i)  =  note(c)let{c -e  c  0  appc(2)}z(^1)  n  C  =  z([  ]) 
(note. test)  if(note(cVo,^,^2)  Si  note(c)let{c  +  co  ifi^i,^)}^,^,^) 

;;  C  =  if([  ],v>i, v?2) 

(note.carti)  [note(cVo,  <Pi]  =  note(c)let{c  c  0  carti(</?1)}[v?0,  ¥>i] 
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;;C  =  [[]^i] 

(note.cartc)  [z,  note(c)y?i]  =  note(c)let{c  -e  c  o  cartc(z)}[z,  v?i]  ;;  C  =  [z,  [  ]] 
(note.fst)  fst(note(c)<,?o)  —  note(c)let{c-<-c  o  fstc}fst(v?0)  ;;  C  -  fst([  J) 

(note.rst)  rst(note(c)v?o)  =  note(c)let{c-<-c  o  rstc}rst(<,<?o)  ;;  C  =  rst([  ]) 

Note.  The  corollaries  to  (escape)  and  (note.dist)  parallel  the  rules  for  moving 
context  capturing  and  aborting  primitives  to  the  outside  of  an  expression  given  in 
[Felleisen  and  Friedman  1986].  Endnote. 
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6.  Proving  properties 

In  the  previous  section  we  showed  how  to  interpret  forms  as  terms  in  a  lan¬ 
guage  for  expressing  extensional  properties  of  pfns  and  more  generally  properties 
of  sequences  from  the  computation  domain.  The  formal  semantics  of  this  language 
was  defined  and  general  laws  for  reasoning  in  this  language  were  developed.  Now 
we  will  fix  the  data  structure  to  be  the  S-expression  structure  and  use  these  tools 
to  formulate  and  prove  the  extensional  properties  of  pfns  expressed  informally  in 
§  — '  * 

6.1.  Vari-ary  functions  and  function  schemes 

Recall  that  StrConc  is  the  string  concatenation  operation  defined  by 
>  StrConc[x, y]  ♦-  StrMk[StrUn(x),StrUn(y)] 

The  fact  that  StrConc  maps  pairs  of  strings  to  strings  is  formalized  as  follows. 

Theorem  (StrConc.sort):  StrConc  6  [[0gtr,  Dgtr]  -4  Bgtr] 

Proof  (StrConc.sort):  Assume  that  a0  €  Dstr  and  at  €  Dstr.  Then  we 

must  show  that  StrConc[a0,  ai]  €  Bstr.  Note  that  Strlln(ao),  Strlln(ai),  and 
StrMk[StrUn(ao),StrUn(ai)]  are  data  forms.  Thus  we  have 

StrConc[a0,ai]  =  StrMk[StrUn(ao),StrUn(ai)j  ;;  rec.fix 
[StrUn(ao), StrUn(ai)]  £  ID*nt  ;;  S-expression  theory 
StrMk[Strlln(ao),StrUn(a1)]  £  Bstr  ;;  S-expression  theory 

'-'StrConc.sort 

The  fact  that  StrConc  is  associative  and  has  the  empty  string  (StrMk(mt))  as 
left  and  right  identity  amounts  to  saying  that  the  domain  of  strings  with  StrConc 
and  the  empty  string  constitutes  a  monoid.  This  is  formalized  by  (StrConc.monoid). 

Theorem  (StrConc.monoid):  For  strings  ao,ai,a2 

StrConc[StrConc[ao,  ai],  02]  =  StrConc[ao,StrConc[ai,a2]] 
StrConc[StrMk(mt),a0]  ^  StrConc[a0, StrMk(mt)]  ^  a0 

Proof  (StrConc.monoid):  Exercise  □StrConc.monoid 
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Now  we  turn  to  the  Sit  example.  The  point  here  is  to  show  how  properties 
of  higher  order  functions  can  be  thought  of  as  schemes  for  proving  properties  of 
instances.1  Recall  that  Sit  is  defined  by 

>  Sit (/,&,*)  <-  if(x,/(fst(x),Sit(/,6,rst(x))),6) 

The  sort  of  Sit  is  given  by  (Sit. sort). 

Theorem  (Sit .sort):  For  any  subdomains  Ao,  A\  of  the  computation  domain 

Sit  6  [[Ao,Ai  — ►  A\],Ai,Aq  —*  Ai] 

Proof  (Sit.sort):  Assume  /  €  [Ao,Ai  — >  Ai],  b  €  Ai,  and  x  €  Aq.  We  will 
show  by  induction  on  x  that  Sit(/,  b,x)  £  A\. 

Case  (x  =  mt):  Sit(/,  6,  x)  =  b 

Case  ( x  =  [ao,a:i]  €  [Ao,AJ]):  by  computation  Sit (/,  6,  x)  = /(ao,Sit(/,  6,  xi)). 
By  the  induction  hypothesis  we  have  Sit(/,  6,  xi)  €  Ai  and  by  the  type  of  /  we 
have  /(a0,Sit(/,6,X!))  €  Ax.  Dsit.sort 

Now  we  use  (Sit.sort)  to  deduce  the  sort  of  ListMk.  Recall  that  ListMk  is 
defined  by 

>  ListMk(x)  *—  Sit(Ax, y.Cons[x,  y],  Nil,  x) 

For  any  subset  A  of  S-expressions  ListMk  maps  sequences  from  A  to  lists  from  A. 
To  formalize  this  we  need  to  formalize  the  notion  of  “lists  from  A” . 

Definition  (List):  For  any  set  A  of  S-expressions  List(A)  is  the  least  set 

containing  Nil  and  Cons[a,x]  for  each  a  in  A  and  x  in  List(A). 

Note  that  by  definition  of  List(A)  we  have 

Lemma  (Cons.sort):  Ax,y.Cons[x,y]  €  [A,  List(A)  — ►  List(A)].  Also,  the 

domain  of  all  lists  is  just  Ltst(Dsexp)* 

Now  we  can  formally  express  the  sort  of  ListMk  as  follows. 

Theorem  (ListMk. sort): 

A  C  DSexp  =>  ListMk  €  [A*  -*  List(A)] 


1  A  more  substantial  example  is  the  use  of  functionals  to  describe  search  strategies 
[Talcott  1985,  Appendix  B]. 
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Proof  (ListMk.sort):  by  (Sit.sort)  and  (Cons.sort)  DustMk.sort 

Note.  An  alternative  definition  of  lists  from  A  is  List(A)  =  ListMk(A*),  extend¬ 
ing  ListMk  to  sets  of  S-expression  sequences  and  we  could  add  ListMk  to  our  list 
of  set  constructors.  Endnote. 

Exercise.  The  inverse  of  ListMk  is  ListUn.  Define  ListUn  and  show  for  sequences 
of  S-expressions  u  and  lists  x 

ListUn(ListMk(u))  =  u 
Li$tMk(ListUn(x))  =  x 

Exercise.  Define  ListConc  using  ListMk  in  anology  to  StrConc  and  prove  that  for 
lists  x,  y 

ListConc(x,  y)  =  Append(x,y) 
where  Append  is  defined  by  the  usual  recursion  on  lists. 

>  Append(x,y)  «-  if(Mtlp(x),y,  Cons(Car(x),  Append(Cdr(x),y))) 

Exercise.  Since  Dsexp  is  finitely  and  freely  generated,  and  tests  for  the  various 
sorts  are  provided,  equality  between  S-expressions  SexpEq  is  computable.  Define 
pfns  that  test  for  equality  of  S-expressions  of  each  sort:  IntEq  for  integers,  StrEq 
for  strings,  and  PairEq  for  pairs.  The  test  pfns  should  return  the  empty  sequence  if 
the  arguments  are  not  of  the  correct  sort  or  are  not  equal.  Otherwise  they  should 
return  one  of  the  arguments.  Prove  that  IntEq  €  [[DBexp,  D9exp]  -+  D9exp]  and  that 
for  x,  y  ranging  over  S-expressions 

x  €  Dint  A  x  =  y  lntEq(x,  y)  =  x 
“■(x  €  Dint)  V  x  ^  y  =*>  lntEq(x,y)  =  mt 

Similarly  for  StrEq  and  PairEq.  SexpEq  is  defined  by 

SexpEq[x,  y]  =  or(lntEq[x,  y],  StrEq[x,  y],  PairEqfx,  yj) 

SexpEq  is  not  specified  for  non- S-expression  arguments.  Prove  that  for  S-expressions 

x,y 


SexpEq[i,y]a{*t  xx^ 
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6.2.  Object  behaviors. 

The  set  of  message-reply  sequences  constituting  an  objects  observable  behav¬ 
ior  can  be  thought  of  as  a  tree  with  edges  labeled  by  messages  and  nodes  labeled 
by  replies.  Such  a  tree  is  characterized  by  a  function  mapping  sequences  of  mes¬ 
sages  (histories)  to  a  function  (the  immediate  behavior  relative  to  the  history) 
mapping  messages  (the  current  message)  to  replies.  Given  a  behavior  function  B, 
we  say  that  a  pfn  t?  describes  behavior  B  if  there  is  a  family  of  pfns  t?h  indexed 
by  sequences  of  messages  h  such  that  t?G  =  t9  and  (m)  =  $[h,m ],#(/i,m)  for  any 
(acceptable)  message  sequence  h  and  message  m. 

Recall  that  a  cell  with  contents  a  responds  to  a  get  message  by  returning  a 
and  responds  to  a  jet  message  with  contents  component  b  by  becoming  a  cell  with 
contents  6. 

Using  the  tests  Getmsg  and  Setmsg  to  distinguish  message  types,  and  the 
selector  Contents  to  extract  the  contents  component  of  a  set  message,  the  cell 
behavior  function  C(a )  can  be  specifyed  (by  induction  on  the  history)  as  follows. 

Definition  (Specification  of  cell  behavior): 

Getmsg(m)  =>  C(a)(a)(m)  —  a  A  C(a)[m,h](m')  =  C(a)(h)(m') 

Setmsg(m)  =$>  C(a)(o)(m)  =  □  A  C(a)[m,  h}(m')  =  C(Contents(m))(/i)(m') 

Now  we  can  make  the  statement  that  a  pfn  describes  the  behavior  of  a  cell  with 
contents  a  precise  by  saying  it  generates  the  behavior  C(a).  The  correctness  of 
the  pfn  Cell  is  expressed  the  following  theorem. 

Theorem  (cell.beh):  Cell(a)  generates  the  behavior  C(a). 

Recall  that  the  pfn  Cell(a)  is  defined  by 

>  Cell(a)  «—  Aro.if(Getmsg(m),  [Cell(a),a], 

if(Setmsg(m),  Cell(Contents(m)), 

Cell(a))) 

To  get  a  better  understanding  of  cell  behavior  we  define  three  auxiliary  pfns.  Next 
computes  the  next  state  of  a  cell,  Reply  computes  the  reply  to  a  message,  and  Eff 
computes  the  effect  of  a  sequence  of  messages  on  the  state  of  a  cell. 

>  Next(a,  m)  «—  if(Getmsg(m),a,  if(Setmsg(m),Contents(m),a)) 

>  Reply(a,m)  <—  if(Getmsg(m),  a,  mt) 

>  Eff(a,  h)  if(fc,a,  EfF(Next(a,fst(/i)),  rst(ft))) 
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Then  we  have  the  following  useful  facts. 

Lemma  (factoring  cell  behavior): 

•  (cell. response)  Cell(a)(m)  2  [Cell(Next(a,  m)),  Reply(/i,  m)] 

•  (next.eff)  EfF(a,  [h,  m])  =  Next(EfF(a,  h),  m) 

■  (reply.eff)  Reply(EfF(a,  h),m)  =  C(a)(h)(m) 

Exercise.  Prove  the  factoring  lemma. 

Now  we  can  prove  (cell.beh) 

Proof  (cell.beh):  We  must  find  a  family  of  pfns  that  satisfy  the  definition  of 
generates  a  behavior”.  Take  tfa,h  =  Cell(EfF(a,  h)).  Then  we  have  t?a,0  =  Cell(a) 


tfa,h(m)  =  [Cell(Next(EfF(a,  h),  m)),  Reply(EfF(a,  h),m) 

;;  by  (cell.response) 

=  [Cell(EfF(a,  [h,  m])),  C(a)(h)(m)]  ;;  by  (next.eff)  and  (reply.eff) 

Dcell.beh 

6.3.  The  tree  product  pfns 

Now  we  will  prove  the  equations  (Tpc.Tp)  and  (Tps.Tp)  which  express  the 
functional  correctness  of  the  tree  product  pfns  Tpc  and  Tps.  The  key  to  these 
proofs  are  the  equations  (Tc.Tp)  and  (Ts.Tp),  characterizing  the  functions  com- 
puted  by  the  auxiliary  pfns  Tc  and  Ts.  For  the  reader’s  convenience,  we  repeat 
the  definitions  of  Tp  and  friends  here. 

>  Tp(x)  4-  if(Atom(x),x,Tp(Car(x))  *  Tp(Cdr(a:))) 

>  Tpc(x)  Tc(x,  I) 

>  Tc(a:’/)  «“  if(Atom(x),  if (Zerop(x),  0,  /(x)),  Tc(Car(x),  Ta(x,  /))) 

>  Ta(x,/)  Ay.Tc(Cdr(x),  Td(y,  /)) 

>  Td (y,f)  <—  A z.f(y*z) 

>  Tps(x)  note(c)Ts(x,  c) 

>  Ts(x’c)  ^  if(At°m(x), if (Zerop(x), c(0), x), Ts(Car(x), c)  *  Ts(Cdr(x), c)) 
lnz(x)  4-  if (Atom(x),  Zerop(x), or(lnz(Car(x)),  lnz(Cdr(x)))) 
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We  begin  with  a  lemma  giving  the  sorts  of  Inz  and  Tp  and  expressing  the  fact  that 
if  a  zero  occurs  in  a  number  tree  then  the  tree  product  is  zero. 

Lemma  (Tp.lnz):  For  x  ranging  over  Ntree 

(Inz.sort)  Inz  €  [Ntree  — ►  V*] 

(Tp.sort)  Tp  €  [Ntree  — ►  N] 

(Inz.Tp)  lnz(x)  €  V+  =»  Tp(x)  =  0 

Proof  (Tp.lnz):  an  easy  induction  on  number  trees.  Dj-p  |nz 

Functional  characterizations  of  the  tree  product  functions  are  given  by  (tprod). 
Theorem  (tprod):  For  x  ranging  over  Ntree  and  c  ranging  over  Co 

(Tpc.Tp)  Tpc(r)  =  Tp(x) 

(Tc.Tp)  Tc(x,  /)  S  if (lnz(x),  0,  /(Tp(x))) 

(Tps.Tp)  Tps(x)  =  Tp(x) 

(Ts.Tp)  Ts(x,c)  £  if (lnz(x),  c(0),  T p(x)) 

We  first  prove  (Tpc.Tp)  and  (Tps.Tp)  assuming  (Tc.Tp)  and  (Ts.Tp).  The  proof 
of  (Tps.Tp)  was  given  in  §2.  We  repeat  it  here  to  be  seen  in  light  of  the  formal 
semantics. 

Proof  (Tpc.Tp):  Assume  x  ranges  over  Ntree.  Then 

Tpc(x)  =  Tc(x,  I)  ;;  dfn  Tpc 

=  if(lnz(x),0,  l(Tp(x)))  ;;  (Tc.Tp) 

-  if(lnz(x),  0,  T p(x))  ;;  (id,letv) 

—  Tp(x)  ;;  (Tp.lnz) 

^Tpc.Tp 

Proof  (Tps.Tp):  Assume  x  ranges  over  Ntree.  Then 

Tps(x)  =  note(c)Ts(x,c)  ;;  dfn  Tps 

—  note(c)if(lnz(x),  c(0),  Tp(x))  ;;  (Ts.Tp),  (note.abs) 

=  if(lnz(x),  note(c)c(0),  note(c)T p(x))  ;;  (note.if) 

=  if(lnz(x), 0, Tp(x))  ;;  (note.triv) 

—  Tp(x)  ;;  vcases, (Tp.lnz),  (Inz.sort) 
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^Tps.Tp 

Now  we  prove  (Tc.Tp)  and  (T$.T p).  In  each  case  we  begin  with  the  righthand 
side  of  the  equation  and  obtain  the  lefthand  side  by  a  series  of  steps  that  are 
essentially  program  transformations  (see  for  example  [Scherlis  1981]).  Thus,  if  we 
had  started  with  (Tc.Tp)  and  (Ts.Tp)  as  definitions  then  each  step  would  produce 
a  new  definition,  preserving  the  function  computed.  At  the  final  step  we  obtain 
the  recursive  defining  equations.  In  fact  the  recursive  definitions  we  originally 
obtained  by  just  such  transformations. 

Proof  (Tc.Tp):  by  IVtree-induction.  Assume  x  ranges  over  Ntree.  Then 
if(lnz(x),  0,  /(T  p(x))) 

-  if  (if  (Atom(*),  Zerop(x),  or(lnz(Car(x)),  lnz(Cdr(x)))),  ;;  dfn  Inz 

0, 

/(TP(*))) 

-  if(Atom(x),  .. 

if  (Zerop(x),  0,  /(T  p(x))), 
if(or(lnz(Car(x)),  lnz(Cdr(x))),  0,  /(Tp(x)))) 

“  'f(Atom(x),  ;;  dfn  Tp,  (if.subst) 

if(Zerop(x),0,/(x)), 

if(or(lnz(Car(x)),  lnz(Cdr(x))), 

0, 

f(*[T  p(Car(x)),  T  p(Cdr(x))]))) 

~  if(Atom(x),  .  ;;  (if.or) 

if(Zerop(x),0,/(x)), 
if(lnz(Car(x)), 

0, 

if(lnz(Cdr(x)), 

0, 

/(*[  Tp(Car(x)),  T  p(Cdr(x))])))) 
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=  if(Atom(x),  ;;  (letv) 

if(Zerop(x),  0, /(x)),  ;;  (Tp.sort) 

if(lnz(Car(x)), 

0, 

if(lnz(Cdr(x)), 

0, 

{A(z)/(*[Tp(Car(x)),z])}Tp(Cdr(x))))) 

=  if(Atom(x), 

if(Zerop(x),0,/(x)), 

if(lnz(Car(x)), 

0, 

Tc(Cdr(x),  A(z)/(*[T  p(Car(x)),  z])))) 

;;  induction  hypothesis 

—  if(Atom(x),  ;;  (letv) 

if(Zerop(x),  0,  /(x)),  »  (Tp.sort) 

if(lnz(Car(x)); 

0, 

(A(y)Tc(Cdr(x),  A z./(*[y,  z]))}T p(Car(x)))) 

=  if(Atom(x),  ;;  dfns  Ta,  Td 

if(Zerop(x),0,/(x)), 
if(lnz(Car(x)), 

0, 

Ta(x,/)(Tp(Car(x))))) 

^  if (Atom(x),  if (Zerop(x),  0,  /(x)),  Tc(Car(x),  Ta(x,  /))) 

;;  induction  hypothesis 
=  Tc(x,/)  ;;  dfn  Tc 

DTc.Tp 

Proof  (Ts.T p):  by  Ntree- induction.  Assume  x  ranges  over  Ntree  and  c  ranges 
over  Co.  Then 

if(lnz(x),  c(0),  Tp(x)) 
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—  if(Atom(x),  ;;  as  in  proof  of  (Tc.Tp) 

if(Zerop(x),c(0),x) 
if(lnz(Car(x)), 
c(0), 

if(lnz(Cdr(x)), 

c(0), 

*P"p(Car(x)),  T  p(Cdr(x))]))) 

=  if(Atom(x),  ..  (esc) 

if  (Zerop(x),  c(0),  x), 
if(lnz(Car(x)), 

<  0), 

if(lnz(Cdr(x)), 

*[Tp(Car(x)),c(0)], 

*[Tp(Car(x)),  T  p(Cdr(x))]))) 

~  if(Atom(*)»  ;;  (if.dist) 

if  (Zerop(x),  c(0),  x) 

if(lnz(Car(x)), 

<  0), 

*[Tp(Car(x)),if(lnz(Cdr(x)),c(0),Tp(Cdr(x)))])) 

=  if(Atom(x),  ;;  induction  hypothesis 

if(Zerop(x),  c(0),  x), 
if(lnz(Car(x)), 

<*o), 

*[T  p(Car(x)),  Ts(Cdr(x),  c)])) 

=  if(Atom(x),  ..  (esc)? 

if(Zerop(x),c(0),x),  ;;  as  above 

*[if(lnz(Car(x)),  c(0),  Tp(Car(x))),  Ts(Cdr(x),  c)]) 

=  if(Atom(x),  induction  hypothesis 

if(Zerop(x),c(0),x), 

*[Ts(Car(x),c),Ts(Cdr(x),c)]) 

=  Ts(x,c)  ;;  dfn  Ts 


^Ts.T  p 
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6.4.  Streams  and  coroutines. 

Streams  and  coroutines  are  mechanisms  for  generating  elements  of  a  sequence 
as  they  axe  needed.  They  can  be  characterized  extensionally  by  the  sequences  they 
generate.  For  simplicity  we  will  concentrate  on  infinite  sequences  (thus  avoiding 
the  need  to  consider  the  case  of  the  empty  stream). 

6.4.1.  Streams 

Recall  that  in  Vjtim,  streams  axe  represented  by  pfhs  which  when  queried 
(applied  to  the  empty  sequence)  return  a  pfn  representing  the  rest  of  the  stream 
together  with  the  next  element  of  the  stream.  We  begin  by  formalizing  the  notion 
of  sequence  generated  by  a  stream. 

Definition  (Streams  generating  sequences.):  Let  a  be  an  infinite  sequence 
of  elements  from  the  computation  domain  (<r  €  [N  — ►  V]).  A  pfn  s  is  a  stream 
generating  a  if  there  is  a  sequence  of  pfns  tf(j)  such  that  s  =  t?(0)  and  i9(j)(mt)  = 
[d(j  +  l),cr(;)]  for  all  j  €  N.  We  say  that  t?  is  the  sequence  of  tails  of  s,  t 9(j)  is 
the  j-th  tail  of  s,  and  <r(j )  is  the  j-th  element  of  s. 

Note  that  if  s  is  a  stream  generating  <r  with  sequence  of  tails  t?  then  x 9(j)  is  a 
stream  generating  \n.a(n  +  j )  with  sequence  of  tails  An.t?(n  +  j)  for  each  j  G  N. 

We  will  use  this  characterization  of  streams  to  formulate  and  prove  the  cor¬ 
rectness  of  the  pfn  Sieve  discussed  in  §2.  Recall  that  Sieve  is  defined  by 

>  Sieve(mt)  <-  Sift(lnts(2))(mt) 

>  lnts(n)(mt)  <—  [lnts(n  +  l),n] 

>  Filter(p,m)(mt)  <-  let{[n,m]  -<-m(mt)} 

if(Divp(p,  n),  Filter (p,  m)(mt),  [Filter(p,  in),  n]) 

>  Sift(in)(mt)  <—  let{[m,p] in(mt)}[Sift(Filter(p,  m)),p] 

where  for  numbers  p,  n  the  expression  Divp(p,  n)  is  true  iff  p  divides  n.  Let  Primes 
be  the  sequence  of  prime  numbers  listed  in  increasing  order.  The  correctness  of 
Sieve  is  expressed  as  follows. 

■(Correctness  of  Sieve.)  Sieve  generates  Primes. 

Proof  (Correctness  of  Sieve.):  Since  Sieve  =  Sift(lnts(2)),  to  prove  the  cor¬ 
rectness  of  Sieve  we  need  only  define  sequences  giving  the  elements  and  tails  of 
Sift(lnts(2))  and  verify  that  the  elements  sequence  is  indeed  Primes. 

We  begin  by  defining  some  number-theoretic  functions.  These  definitions 
can  easily  be  transformed  into  pfn  definitions.  We  leave  them  in  the  world  of 
mathematics  to  separate  the  work  which  is  purely  number  theory  from  that  which 
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deals  with  pfns.  In  the  following  i,  j ,  k,m,n  will  range  over  N,  a  will  range  over 
sequences  of  numbers  -  <7  €  [N  — *  N],  and  m  |  n  is  the  predicate  “m  divides  n”. 
Define  the  functions  lx,  Index ,  and  for  each  m  €  N  by 

Ix(<r,m,j )  =  fi{k  >  |  cr(k )) 

Index(<T,m,0)  =  Ix(cr,  m,  0) 

/ndex(tr,  m,  n  +  1)  =  Ix(<7,  m,  Index{t t,  m,  n)  +  1) 

=  cr(Index(cr,m,k)) 

Thus  Ix(cr,  m,  j )  is  the  least  number  such  that  k  >  j  and  m  does  not  divide  a(k). 
Index  (a,  m,j)  is  the  number  k  such  that  m  does  not  divide  a{k)  and  such  that 
there  are  exactly  j  elements  <x(t)  with  i  <  k  and  m  not  dividing  <r(i).  cr^m^  is  the 
subsequence  of  elements  of  u  not  divisible  by  m.  We  will  only  apply  these  functions 
in  situations  where  a  is  a  sequence  with  infinitely  many  elements  not  divisible  by 
m  so  we  need  not  specify  their  behavior  elsewhere.  Define  the  sequences  P intin ) 
and  Pr  by 

Pint{  0)  =  \(i)i  +  2 
Pint(n  +  1)  =  Pint(n)('~'Pr^ 

Pr(j)  =  Pint(j,  0) 

Then  Pint(n)  is  the  sequence  of  numbers  not  divisible  by  Pr(j )  for  all  j  <  n, 
Pr(0)  —  2,  and  Pr(j’)  is  the  j-th  prime.  Note  also  that  there  are  infinitely  many 
elements  of  Pint(n )  not  divisible  by  Pr(n).2  Thus  to  prove  the  correctness  of 
Sieve  we  need  only  find  a  sequence  of  pfns  1 9(j)  such  that  t?(0)  £  Sift(lnts(2))  and 
i9(n)(mt)  =  [i?(n  +  1),  Pr(n)].  Define  the  sequence  of  pfns  P(n)  by 

>  P(n)  +-  if(Zerop(n),  lnts(2),  let{[s,  m]  -e  P(n  -  l)}Filter(m,  P(n  -  1)) 

Lemma  (P.Pint):  For  all  n,  P(n)  is  a  stream  generating  Pint(n). 

The  correctness  of  Sieve  now  follows  from  the  lemma  (Sift .sifts). 

Lemma  (Sift.sifts):  Sift(lnts(2))  is  a  stream  generating  Pr  with  i-th  tail 

Sift(PO)). 

Proof  (Sift.sifts):  We  must  show  Sift(P(;'))(mt)  S  [Sift(P(;  +  l)),Pr(j)].  By 
(P.Pint)  there  is  a  stream  s  such  that  P(j  )(mt)  Sf  [s,Pr(j)]  and  by  the  definition 


These  two  sentences  are  where  the 


main  number-theoretic  work  is  hidden. 
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of  Filter  we  have  Filter(Pr(j),  P(j))  =  Filter(Pr(j),s).  Hence  by  the  definition  of 
Sift  and  P  we  have 

Sift(PG')Xmt)  S  [Sift(Filter(PrG),PO'))),PrO')]  »  [Sift(P(j  +  1)),  Pr(j)] 
^Sift.  sifts 

All  that  remains  is  to  prove  (P.Pint).  We  first  prove  some  lemmas  about  lots 
and  Filter. 

Lemma  (Ints.num):  lnts(i)  generates  the  sequence  A(n)n  -f  i,  the  sequence  of 
numbers  greater  than  or  equal  to  i. 

Proof  (Ints.num):  The  j-th  tail  of  lnts(i)  is  lnts(z  +  j).  □ints.num 

Lemma  (Filter.fil):  Let  <r  be  a  sequence  with  infinitely  many  elements  not 

divisible  by  m  and  let  in(i)  be  the  sequence  of  tails  of  a  stream  generating  a. 

Filter(m,m(i))(mt)  =  [Filter(m,  in(/x(<7,  m,*)  +  l)),<r(Ix(cr,  m,z))] 

Proof  (Filter.fil):  by  induction  on  k  =  Ix(cr,m,i )  —  i 
Case  ( k  =  0):  Divp(m,  cr(i))  is  false  and  by  definition  of  Filter 

Filter(m,  m(:))(mt)  =  [Filter(m,  in(i  +  l)),<7(i)] 

Case  ( k  >  0):  :  Then  Divp(m,  cr(i))  is  true  smd  by  definition  of  Filter  and  induc¬ 

tion  hypothesis 

Filter(m,m(z))(mt)  =  Filter(m,  in(i  +  l))(mt) 

=  [Filter(m,m(7x((T,m,z)  +  1)),  cr(Jx(o-,  m,  t))] 

^Filter.fil 

Lemma  (Filter.filters):  Let  a  be  a  sequence  with  infinitely  many  elements  not 
divisible  by  m  and  let  s  be  a  stream  generating  a  with  sequence  of  tails  in.  Then 
Filter(m,s)  is  a  stream  generating  with  sequence  of  tails  out  where 

out(0)  =  Filter(m,s) 

out(j  +  1)  =  Filter  (m,in(Index(cr,m,j)  +  1))) 


Proof  (Filter.filters):  We  must  show  for  each  j 

0Ut(j)=*[0Ut(j  +  l),<T^m\j)}. 
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This  follows  easily  from  (Filter. fil)  and  the  properties  of  Index ,  and  given 

above.  ° 

Case  O'  =  0):  Let  k  =  Ix(a ,  m,  0)  then 

Index{<j,  m,0)  =  k  ;;  defn  Index 
’(0 )  =  CT (*)  ..  defn  „-(m) 

ouf(0)(mt)  S  Filter(m,  m(0))(mt)  a  [Filter(m,  in(k+ 1)),  o-(jt)]  ;1  (Filter.fll) 

Case  0  +  1):  Let  k  =  Ix{(r,m,Index(cr,m,j)  +  1)  then 

Index(<j,m,j  +  1)  =  k  ;;  defn  Index 

+  1)  =  ;;  defn  a',(m) 

ou<0  "F  —  Filt er(m,in(Index(a,m,j)  +  l))(mt) 

-  [Filter(m,  in(k  +  1)),  <r(fc)]  ;;  (Filter.fll) 

'-'Filter. filters 

Now  we  are  ready  to  prove  the  Pint  lemma. 

Proof  (P.Pint):  by  induction  on  n.  The  case  n  =  0  is  by  (Ints.ints).  For 
”  >  °>  Msume  P(n  - 1)  is  a  stream  generating  Pint(n  - 1).  By  (Filter .filters)  and 
the  definitions  of  Pint,  Pr  we  have  P(n)  £  Filter(Pr(n  -  1),  P(n  -  1))  is  a  stream 
generating  Pint(n).  Dp  pint 

This  completes  the  proof  of  correctness  of  Sieve.  0Correctness  of  Sieve. 
6.4.2.  Coroutines 

The  next  element  of  the  sequence  generated  by  a  a  coroutine  is  obtained  by 
resuming  the  coroutine.  The  coroutine  computes  the  next  element  and  resumes 
its  resumer  with  the  value  of  the  next  element  in  a  context  that  represents  the 
remainder  of  the  computation. 

To  formalize  the  notion  of  coroutine  and  of  sequence  generated  by  a  coroutine 
we  begin  with  the  resumption  pfn  Resume.  Resume  notes  the  current  context, 
discards  it  (by  applying  top),  and  calls  the  resumee  with  the  noted  context  and 
possibly  additional  information  as  argument. 


t>  Resume[p,u]  «-  note(c)top(p[c, »]) 

Resumption  is  used  with  no  additional  arguments  to  get  the  next  element  from 
a  coroutine  generating  a  sequence.  It  is  also  used  by  the  generating  coroutine  to 
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return  the  element  to  its  resumer.  Thus  it  is  common  for  resumption  of  a  generator 
coroutine  g  by  a  consumer  c,  to  reduce  to  resumption  of  c  with  the  next  element  x 
in  a  context  g'  representing  the  remainder  of  the  generator  computation.  In  this 
case  resumption  of  g  is  equivalent  to  [top  o  g' ,x\.  This  property  of  co-operating 
pairs  of  resumptions  is  expressed  by  the  following  theorem. 

Theorem  (res. res): 

Resume(Ax.p(Resume[x,  z]))  =  [top  op,  z] 


Proof  (res. res): 

Resume(Ax.p(Resume[x,  z]))  = 

=  note(co)top((Ax.p(Resume[x,  z]))(co))  ;;  dfn  Resume 

=  note(co)top(p(Resume[c0,z]))  ;;  (letv) 

=  note(co)top(p(note(ci)c0[ci,z]))  ;;  dfn  Resume 

—  note(co)note(ci)top(p(co[ci  o  (top  op),?]))  ;;  (note.dist) 

—  note(co)note(ci)co[top  op, z]  ;;  (esc.c)  twice 

—  note(co)co[top  o  p,  z]  ;;  (note.triv) 

—  [toP  0  P>  z\  ;;  (note.id) 

Now  we  can  formalize  the  notion  of  coroutine  generating  a  sequence. 

Definition  (Coroutines  generating  sequences.):  Let  it  be  an  infinite  se¬ 
quence  of  elements  from  the  computation  domain,  co  is  a  coroutine  generating  o 
if  there  is  a  sequence  of  pfns  1 9(j)  such  that  i9(0)  =  co  and  for  all  j  €  N 

Resume(i9(;))  =  [top  o  tf(j  +  l),<r(j)]. 

We  say  that  •d  is  the  sequence  of  tails  of  co,  i 9(j)  is  the  j-th  tail  of  co,  and  cr(j)  is 
the  j-th.  element  of  co. 

We  will  now  use  the  resumption  theorem  and  this  characterization  of  corou¬ 
tines  to  formulate  and  prove  the  correctness  of  the  string-transforming  pfn  C32. 
Recall  from  §2  that  C32  and  its  auxiliaries  C32a,  C32b,  C32c,  C32d  satisfy 
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■(C32.aux) 

C32(m)[out]  =  C32a(ou<)(Resume(m)) 

C32a(ou<)[m,ty]  £  let{[z0,  x\ ,  z2]  -e  StrUn(u>)} 

C32b(m,  x2  )(Resume[oui,  StrMk[z0,  za]]) 

C32b(m,  x2)[out]  =  C32c(out,  Z2)(Resume(m)) 

C32c(out,x2)[in,w]  £  let{[z3,z4,z5]  -e  StrUn(u;)} 

C32d(m,z4,z5)(Resume[ou<,StrMk[z2,z3]]) 
C32d(m,z4,zs)[oi£t]  =  C32(m)(Resume[out,  StrMk[z4,zs]]) 

Theorem  (C32. correctness):  Let  x  be  a  sequence  of  characters,  let  x^  be 
the  sequence  of  strings  of  length  three  such  that 

X(3)(0  =  StrMk[x(3i),x(3i  +  l),x(3i  +  2)], 
and  let  x^  be  the  sequence  of  strings  of  length  two  such  that 

X(2)(0  =  StrMk[x(2i),x(2i  +  l)] 

Then  for  any  coroutine  co  generating  x^3\  C32( co)  is  a  coroutine  generating  x^- 

Proof  (C32. correctness):  Let  x>  X^3\  X^  be  as  in  the  statement  of  the 
theorem  and  let  co  be  a  coroutine  generating  x(3^  with  tails  in(j)  for  j  €  N.  We 
want  to  show  that  there  is  a  sequence  of  pfns  out(j)  such  that  C32(co)  =  out( 0) 
and  Resum  e(out(j))  £  [topoou<(j  +  l),x(2)0')].  for;  €  N.  Define  out(j)  as  follows: 

out(Zj)  £  C32(m(2j)) 

out(3j  +  1)  9*  C32b(m(2;  +  l),x(6j  +  2)) 

out(3j  +  2)  3  C32d(m(2;  +  2),  x(6j  +  4),  x(6j  +  5)) 

Thus  we  need  only  prove  the  following  three  equations 

(out.i)  Resume(C32(m(2j)))  3  [top  o  C32b(m(2j  +  l),x(6j  +  2)),  x(2)(3j)] 
(out.ii)  Resume(C32b(m(2;  +  1),  x(6;  +  2))) 

-  (toP  0  C32d(m(2;  +  2),  X(6j  +  4),  X(6j  +  5)),  x(2)(3;  +  1)] 

(out.iii)  Resume(C32d(m(2j  +  2),  x(6j  +  4),  x(6j  +  5))) 

-  [^P  0  C32(m(2;  +  2)),  x(2)(3 j  +  2)] 
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We  will  use  the  following  simple  facts  which  follow  easily  from  the  definition  of 
Resume  and  (C32.aux). 

(res. top)  Resume(p)  =  Resume(top  o  p ) 

(in. top)  C32(in)  =  C32(top  o  in) 

(in.top.b)  C32b(in,  x)  =  C32b(top  o  in,  x ) 

(in.top.d)  C32d(m,  x,  y)  =  C32d(top  o  in,  x,  y ) 

Let  X^  be  as  in  the  statement  of  the  theorem  and  assume  in(j)  is  a  sequence 
of  tails  of  a  co- routing  generating  x(3L  Thus  we  have 

( in.hyp )  Resum e(m(j))  =  [top  o  in(j  +  1),  x3 0* )] 

Proof  (out.i): 

Resume(C32(m(2j)))  = 

=  Resume(Aotxf.C32a(out)(Resume(m(2j))))  ;;  (C32.aux) 

=  Resume(Aout.C32a(ouf)[top  o  in(2j  +  1),  x(3)(2j)])  ;;  (hyp.in) 

=  Resurr\e(\out.C32b(in(2j  +  l),x(6;  +  2))(Resume[out,  x^2^(3j)])) 

;;  (C32.aux), (in.top.b),  defn  x(,) 

=  [t°P  °  C32b(m(2;  +  1),  x(6;  +  2)),  x(2)(3j')]  5!  (res.res) 

^out.i 

Proof  (out.ii): 

Resume(C32b(m(2;  +  l),x(6;  +2))) 

—  Resume(Aout.C32c(out,x(6i+2))(Resume(in(2j+l))))  ;;  (C32.aux) 
—  Resume(Aouf.C32c(oui,  x(6j  +  2))[top  o  in(2j  +  2),  x^(2j  +  1)])) 

;;  (hyp.in) 

—  Resume(Aout.C32d(m(2j  +  2),  x(6j  +4),  x5)(Resume[out,  x(2)(3j  + 1)])) 
;;  (C32.aux), (in.top.d),  defn  x(,) 

=  [^p  oC32d(m(2;+ 2),  x(6j+ 4),  x(6j  + 5)),  x(2)(3j  +  l)]  ;;  (res.res) 

^out.ii 
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Proof  (out.iii): 

Resume(C32d(m(2j  +  2),  X(6j  +  4),X(6j  +  5))) 

-  Resume(Aou^.C32(m(2j  +  2))(Resume[oui,  x(2)(3;  +  2)])) 

;;  (C32.aux),  defn  X(<) 

=  (top  °  C32(m(2j  +2)),  x<2)(3 j  +  2)]  ;;  (res.res) 

^out.iii  nC32. correctness 
6.4.3.  Remarks 

We  have  formalized  useful  but  particularly  simple  notions  of  stream  and  corou¬ 
tine.  It  is  easy  to  see  that  pfns  can  represent  much  more  complex  stream-like  ob¬ 
jects  and  more  intricate  patterns  of  coroutine  interaction.  We  refer  the  reader  to 
the  Common  Lisp  manual  [Steele  1984]  for  more  elaborate  notions  of  stream  and 
to  [Kahn  and  McQueen  1977]  for  a  more  general  notion  of  systems  of  coroutines. 
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7.  Derived  properties  and  programs 

A  set  of  derived  properties  is  a  uniformly  computable  set  of  properties  of 
computations  described  by  programs.  By  uniformly  computable  we  mean  com¬ 
puted  by  a  scheme  for  recursion  on  the  structure  of  computations.  For  example 
simple  derived  properties  are  computed  by  composing  a  sequence  of  parameter 
functions  corresponding  to  the  rules  used  in  generating  a  computation  sequence 
and  applying  this  composition  to  an  initial  value.  Many  more  elaborate  schemes 
are  possible.  A  derivation  map  converts  programs  into  derived  programs  that 
compute  derived  properties  of  the  original  program.  The  uniformity  requirement 
for  derived  properties  means  that  derivation  maps  are  computable  operations  on 
programs  determined  by  the  recursion  schemes.  The  value  of  derivation  maps  is 
that  they  convert  intensional  properties  of  programs  into  extensional  properties 
of  derived  programs.  This  allows  us  to  apply  methods  for  proving  properties  of 
the  function  computed  by  a  program  to  proving  properties  of  the  computations 
described.  The  term  “derived  program”  is  due  to  McCarthy  (private  communi¬ 
cation)  and  derived  programs  are  related  to  work  of  [Wegbreit  1975].  The  idea 
of  derived  property  is  a  special  case  of  non-standard  interpretation  in  which  we 
reinterpret  program  primitives  to  compute  some  property  of  the  computation  de¬ 
scribed  the  standard  interpretation.  Some  forms  of  abstract  interpretation  (cf. 
[Cousot  et  Cousot  77],  [Jones  and  Mycroft  86],  [Abramsky  and  Hankin  87])  can 
also  be  expressed  as  derived  properties. 

To  illustrate  the  basic  ideas  we  will  focus  on  simple  derived  properties,  hence¬ 
forth  known  as  s.d.p.s.  We  begin  with  some  examples  of  simple  derived  properties. 
Then  we  formally  define  the  set  of  s.d.p.s  and  give  some  properties  of  this  set. 
Finally  we  define  a  derivation  map  for  s.d.p.s  and  use  it  to  analyze  intensional 
properties  of  the  tree  product  pfhs.  To  simplify  matters  we  will  asstime  that  we 
are  working  over  a  data  structure  that  contains  the  S-expression  structure. 

7.1.  Examples  of  simple  derived  properties 

Two  examples  of  s.d.p.s  are  count(O)  for  a  set  of  rules  O  and  trace.  count(O) 
is  the  number  of  times  one  of  the  rules  in  O  is  applied  in  generating  a  computation 
sequence  and  trace  is  the  list  of  (codes  for)  the  rules  applied.  Returning  to  the 
example  computation  sequence  Eex  (which  we  repeat  here  in  Figure  8  for  the 
reader’s  convenience)  we  have 

coimi({Atom},Eex)  =  0,  cotmi( {Zerop},  Eex)  =  1,  count({sw},  Eex)  =  1, 
and 


<race(Eex)  =  <if,  app,  sym,  appi,  sym,  Zerop,  ifi,  app,  sym,  appi,  sym,sw>. 
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7  v  (if(Zerop(x),c(x),x)  :  {) 

>“*  7  0  (ifi(c(x), x)  :  £)  v  (Zerop(x)  :  £) 

on 

>—+70  (ifi(c(x),  x)  :  £)  0  (appi(x)  :  £)  v  (Zerop  :  £) 

(app) 

>-*  7  0  <ifi(c(ar),  x)  :  £)  0  (appi(x)  :  £)  a  Zerop 

(sym) 

>—►  7  0  (ifi(c(x), *)  :  0  0  appc(Zerop)  v  (x  :  f ) 

(appi) 

>—*  fo  (ifi(c(x),  x)  :  f)  0  appc(Zerop)  a  0 

(sym) 

> — ►  7  0  (ifi(c(x),  x)  :  £)  a  0 

(Zerop) 

^  7  v  (c(*)  :  0 

(ifi) 

>-*•  7°  (appi(x)  :  0  v  (c  :  () 

(app) 

>—♦70  (appi(x)  :  £)  a  top 

(sym) 

>-+70  appc(top)  V  (x  :  £) 

(appi) 

>— *■  70  appc(top)  a  0 

(sym) 

>— f  top  A  0 

(sw) 

where  £  maps  x  to  0  and  c  to  top 

Figure  8.  Example  computation  sequence 

where  if,  app,  etc.  denote  S-expressions  coding  the  symbols  if,  app,  etc. 


7.2.  Definition  of  simple  derived  property 

An  s.d.p.  is  defined  by  giving  an  initial  value  and  a  set  of  unary  functions 
(primitive  derivations),  one  for  each  computation  rule.  Given  a  set  of  primitive 
derivations  we  define  the  derived  property  function  for  a  computation  sequence  to 
be  the  composition  of  the  primitive  derivations  corresponding  to  the  rules  used  in 
generating  the  sequence.  The  derived  property  of  a  given  computation  sequence 
is  then  computed  by  applying  its  derived  property  function  to  the  initial  value. 
The  use  of  derived  property  functions  allows  segments  of  a  computation  sequence 
to  be  treated  independently.  For  a  segment  contained  in  a  larger  sequence  the 
initial  value  is  interpreted  as  the  derived  property  for  the  computation  up  to  the 
beginning  of  the  segment.  Applying  the  derived  property  function  for  the  segment 
to  this  value  produces  the  derived  property  for  the  computation  continued  to  the 
end  of  the  segment. 
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>  (Simple  derived  properties.):  Let  Rules  be  the  set  of  (S-expression  codes 
for)  the  computation  rules 

Rules  =  {sym,  mt,  top,  lam,  note,  if,ifi,app,  appi, 

cart, carti,  carte, fst,fstc,  fit,  rstc,  pfn,sw,  o|o  €  Od}. 

Let  A  be  a  subset  of  V  and  let  D  be  a  pfn  mapping  Rules  to  pfhs  computing  unary 
functions  on  A. 

D  €  [Rules  — +  A  — ►  A] 

We  call  D  a  primitive  derivation  over  A  and  D(f)  is  the  primitive  derivation  cor¬ 
responding  to  r  for  each  r  €  Rules.  If  E  is  the  computation  sequence  [(0  >-— * 

■ . .  >— ►  Ck] *  then  Ed,  the  derived  function  of  E  determined  by  D,  is  the  compo¬ 
sition  D(r*)  o  ...  o  D(rl).  The  s.d.p.  of  E  determined  by  a  €  A  and  D  is  E°(a). 

Lemma  (count.sdp):  count  is  an  s.d.p. 

Proof  (count.sdp):  Let  O  be  a  set  of  rules  and  let  D  be  the  primitive  derivation 
over  the  integers  defined  by 


n/~\  (  Addl  if  r  €  0 

D(r)  =  |l  ifr£0. 

Then  coimt(0,E)  =  ED(0)  and  thus  count(0 )  is  the  s.d.p.  determined  by  D  and 

l-tount.sdp 

Lemma  (trace.sdp):  trace  is  an  s.d.p.s. 

Proof  (trace.sdp):  Let  D  be  the  primitive  derivation  over  lists  of  integers 

defined  by 

D  =  Ar.Ad.Append(d,  ListMk(r)) 

Then  trace( E)  =  E*^(Nil)  and  thus  trace  is  the  s.d.p.  determined  by  D  and  Nil. 
^trace.sdp 

Theorem  (trace. universal):  The  trace  of  a  computation  sequence  contains  all 
the  information  about  the  computation  sequence  available  for  computing  s.d.p.s. 
In  particular,  there  is  a  pfn  Derive  such  that  for  any  A  C  V,  any  a  €  A,  and  any 
primitive  derivation  D  over  A 

Derive(D,  a,  trace(E))  =  SD(a) 

Proof  (trace. universal):  Take  Derive(D,  a,  x)  =  Sit(D,a,  ListUn(x))  and  show 

by  induction  on  length  of  E  that  the  specification  for  Derive  is  satisfied. 

^trace.  universal 
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When  computations  axe  defined  by  recursion  and  carried  out  on  a  stack-based 
machine,  an  important  property  is  the  maximum  stack  depth  required  in  a  compu¬ 
tation.  In  a  continuation-based  model,  the  analog  to  stack  depth  is  continuation 
depth  -  the  length  or  number  of  compositions  in  the  continuation.  For  example 
the  depth  of  top  is  zero  and  the  depth  of  7  o  appc(u)  is  one  plus  the  depth  of  7. 

Lemma  (max.stack):  For  computations  that  do  not  involve  context  switching 
the  maximum  stack  depth  is  a  derived  property. 

Proof  (max.stack):  Let  D  be  the  primitive  derivation  over  pairs  of  integers 

defined  by 


'  Ax.let{m  -e  Addl(Car(x))}Cons[m,  Max[m,  Cdr(ar)]] 
if  r  €  {if,app,cart,fst,rst} 

<  Ax.Cons[Subl(Car(x)),  Cdr(x)] 

if  r  €  {ifi,  carte, fstc,  rstc,  pfn,o|o€  0D} 

'  I  otherwise 


where  Max[x,  y }  is  the  maximum  of  x  and  y  for  integers  x,  y.  If  sw  is  not  used  in  E 
and  m  is  the  length  of  the  continuation  component  of  1st  (E)  then  by  induction  on 
the  length  of  E  we  see  that  Car(ED(Cons[m,m]))  is  the  length  of  the  continuation 
component  of  the  last  state  in  E  and  Cdr(ED(Cons[m,  m]))  is  the  maximum  of  the 
continuation  lengths  for  states  occurring  in  E.  C]max 

Corollary  (no.max.stack):  Maximum  stack  depth  is  not  an  s.d.p.  for  arbi¬ 
trary  computations. 

Proof  (no.max.stack):  This  follows  from  the  universality  of  trace  and  the 

fact  that  maximum  continuation  length  is  not  computable  from  the  trace.  To  see 
the  latter,  note  that  <sw>  is  the  trace  of  computation  sequences  with  arbitrarily 
long  continuations.  Dno.max.stack 


7.3.  Derived  programs 

Rather  than  use  derived  properties  directly  to  treat  intensional  properties 
of  programs,  we  will  define  a  derivation  map  and  show  how  this  can  be  used  to 

convert  intensional  properties  of  programs  into  extensional  properties  of  derived 
programs. 

Definition  (Derivation  map):  Let  ds  be  a  new  symbol.  A  derivation  map  is 
a  family  of  functions  A  on  TZum  domains 


A  €  [F  — ►  F]  ©  [Pc*  ->  F]  ©  [Co  -»  Co]  ©  [V*  V*]  ©  [Bt  x  V  -►  D»]  ©  [St  x  V  -4  St] 
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such  that  (writing  xD  for  A(x)  to  emphasize  the  dependence  on  the  primitive 
derivation  D) 

dD  =d 

oD  =  A[ds,x][D(o,  ds),  o(x)] 

((Ax.V?:0€V)D  =  (A[ds,x](V?D):eD) 

(7  €  V)D  =  (A[<fs,x]c[D(sw,ds),x]  :  c-<- 7°) 

[ai,...,an]D  =  [aiD, . . . ,  anD]  . 

(9  :  0D(a)  =  <V>°  :  CD{ds-ea}) 

^(x)  =  (£(x))D  ;;  for  any  variable  x  in  the  domain  of  £ 

topD  =  top 

(7  0  (v?cs  :  0)D  =  7°  0  ((<*,  €  F cs)D  :  (' D )) 

(7  v  <S)D(a)  =  7°  V  (<5D(a)) 

(7  A  *>)D(a)  =  7°  a  [a,VD] 

and 

Co  A  Ci  =►  CoD(a)  W  Cl D(SD(a)) 

Here  as  in  other  situations  where  one  is  defining  a  family  of  functions  on  Rum 
domains  it  is  necessary  to  distinguish  between  (Ax.c p  :  £)  the  dtree  and  (A x.ip  :  £) 
the  pfn.  To  make  this  distinction  we  write  (\x.<p  :  £)  €  V  for  the  pfn.  For 
continuations  we  write  76V  for  7  as  an  element  of  the  computation  domain  and 
simply  7  as  a  component  of  a  computation  state.  We  write  <p  €  Fca  when  we  are 
viewing  9  as  a  continuation  segment  form  rather  that  simply  as  a  form. 

The  key  fact  about  derivation  maps  is  that  derived  pfns  compute  derived 
property  functions.  This  is  expressed  by  the  theorem  (der.map). 

Theorem  (der.map):  For  any  A  C  V,  D  a  primitive  derivation  over  A  and 

cl  €  .4 

p(v)  €  V*  =*  fst(pD  [a,  uD])  £  C's(p(u))D(a). 

Note.  An  important  property  of  Rum  computation  is  that  if  p(v)  €  V*  then  for 

£ 

any  continuation  7  there  is  a  value  u  and  a  computation  sequence  E  7  v  p(v)  > — ► 
7  a  u  and  Ed  is  independent  of  the  choice  of  7.  Endnote. 

For  the  remainder  of  this  section  we  assume  that  D  is  a  constant  symbol  whose 
interpretation  is  a  primitive  derivation  and  that  the  new  symbol  ds  ranges  over  V. 
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Theorem  (dermap. exists):  There  exists  a  family  of  functions  A  that  is  a 

derivation  map. 

Proof  (dermap.exists):  From  the  definition  it  is  easy  to  see  that  a  derivation 
map  is  determined  by  its  action  on  forms  and  continuation  segments.  Figure  9 
defines  such  an  action.  The  theory  would  be  a  little  simpler  if  we  worked  in 
basic  Rum  with  no  constant  symbols.  However  the  practice  is  much  simpler  if  we 
develop  the  theory  accounting  for  the  distinction  between  constant  and  variable 
symbols.  Thus  for  each  constant  symbol  s  we  choose  a  new  constant  symbol  s' 
(the  derived  symbol  associated  with  s )  whose  interpretation  is  the  derivation  of 
the  interpretation  of  s.  For  variable  symbols  we  take  s'  to  be  s.  To  check  that  the 
map  defined  by  Figure  9  is  indeed  a  derivation  map  one  only  needs  to  check  the 
step  requirement  for  each  step  rule.  We  leave  this  as  an  exercise.  In  fact  the  action 
of  the  derivation  map  on  forms  was  obtained  by  looking  at  what  was  needed  to 
prove  the  step  requirement.  Ddermap.exists 

To  facilitate  working  with  derived  programs  we  have  a  number  of  lemmas  for 
common,  special  cases.  To  simplify  matters  we  will  assume  in  the  remainder  of 
this  section  that  D  is  a  primitive  derivation  over  the  integers  for  counting  data 
operations.  Thus  for  r  €  Rules 

/  €  {I, Addl}  ifr  =  oforo€©D 

l  —  I  otherwise. 

The  general  case  is  similar,  just  messier.  Under  these  assumptions  we  have  the 
following  facts  about  the  derivation  map. 

Lemma  (dop.der):  For  data  operations  o 

(app)  St  let{[ds,/.]^¥5oD}|et{[d5,x,]^¥?1D}/.[ds,x.] 

(cart)  [<p0,Vi}D  aiet{[dS,a;.]^v,oD}let{d5,y*]-i-v>1D}[ds,**,y,] 

(s.app)  (s(sp))D  2  s'(<^D) 

(o.app)  o(x)D  3  [D(o, ds), o(x)}  ;;oEOd 

(if.dop)  D(o)  =  I  =>  if(o(x),^,^2)D  =*  if(o(x),9lD,Y,2D) 

Proof  (dop.der):  The  proofs  are  essentially  computation  using  the  definition 
of  the  derivation  map  A,  the  simplifying  assumptions  (letv),  (let.perm)  and  the 
cart  laws.  Dander 

The  key  to  computing  derived  properties  of  recursivelv  defined  pfns  is  the  de¬ 
rived  recursion  lemma  (der.rec)  and  its  corollaries.  The  derived  recursion  lemma 
says  that  the  derivation  of  a  pfn  defined  by  a  recursion  equation  is  a  pfn  defined  by 
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sD  =  [D(sym,da),s'] 

mtD  =  [D(mt,<£.s),mt] 

topD  =  [D(top,  ds),  A[ds,  x]top[D(sw,  <is),  x]] 

(Ax.<^)d  =  [D(\am,ds),\[ds,x}<pD) 

=  \et{ds  D(app,ds)}(appi(<^i)D)(<^0D) 

appi(v?i)D  =  \[ds,  f.]\et{ds  +  D(appi,ds)}(appc(/,)D)(vj1D) 
appc(/,)D  =  X[ds,  x,]/.  [D(a'ppc,  ds),  x.] 
ifCv’o.V’i*^)0  =  let{rfa  -t-  D(i? , <f3)>(ifi(v?i , 
ifi(^i,<£2)D  =  A[ds,x.]let{ds  +  D(ifi,d$)}if(x.,9iD,<p2D) 

[¥>o,  v?i]D  =  let{ds D(cart,<f5)}(carti(v>i)D)(<^0D) 

carti(<,Pi)D  =  X[ds,  x.]let{d5  +  D(carti,ds)}(cartc(x.)D)(y>iD) 

cartc(x.)D  =  A[ds,  y.].[D(cartc,  da),  x, ,  y,] 

fst(^)D  =  \et{ds  +  D{fst,  ds)}  fstcD((fD) 

fStCD  =  X[ds,  x,].[D(fstC,  ds),  fst(x. )] 

rst(<^)D  =  let{<fs  D(rst,ds)}rstcD(^D) 

rstcD  =  A[d5,x.].[D(rstc,<is),rst(x.)] 

(note(c)^)D  =  note(c)let{c-«-  A[ds,x,].c[D(sw,<f.s),x,]}let{ds  D(note,  <£s)}9?D 
where  /. , x.,y«  are  chosen  fresh 

Figure  9.  Derivation  map  action  on  forms 


a  corresponding  derived  recursion  equation.  The  corollaries  extend  this  to  multiary 
pfns. 

Lemma  (der.rec):  Let  F  be  a  constant  symbol  defined  by 
F(x)  *—  if 

then  the  derivation  F'  of  F  is  defined  (mod  =)  by 
F'[ds,x]  <-  fD 
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Corollary  (der.rec.l):  If  G  is  a  constant  symbol  defined  by 
G[x\^x 2)  <  <p 

then  the  derivation  G'  of  G  is  defined  (mod  =)  by 
G'[ds,x]  <-  [ds,G:(x)] 

Gi(*i)[<k,x2]  ♦-  <^D 

Corollary  (der.rec.2):  For  G,  G',  G1  as  in  (der.rec.l) 

=  let{[ds,xi]  -4- <^i^]}let{[ds, X2]  -4-  V?2^>}G!i(xi)[ds,X2] 

Again  the  proofs  are  just  straightforward  (but  tedious)  computations  simplified 
somewhat  by  (dop.der).  As  an  example  we  prove  (der.rec.2). 

Proof  (der.rec.2): 

Z\et{[ds,g}  +  \et{[ds  uXi]  +  <PiD}G'[dsuXl]}  ■ 
let{[ds,x2]  -4-(^2D} 
g[ds,x  2] 

;;  using  (dop.der.s.app),  recall  G{<p  1,^2)  abbreviates  (G(<p  1  ))(<^2 ) 

=  let{[ds,  <7]  -f-let{[ds!,xi]  -4-¥>iD}[<ki,G!1(xi)]}  ;;  (der.rec.l) 

let{[ds,x2]  h-v>2D) 

g[ds,x2] 

=  let{[dsx,  xi]  -4-  yiD}  ;;  (let. perm) 

\et{[ds,g]^[ds1,G1(x1)}} 
let{[ds,  x2]  -4-  v?2D) 
g[<b,x2] 

=  let{[ds,xi] -4-<^>1D}let{[ds,X2] -4-92D}Gi(x1)[ds,a:2]  ;;  (letv) 

'-'der  .rec.2 

1 .4.  Analysis  of  tree  product  computations. 

To  see  how  derived  properties  and  programs  can  be  used  to  analyze  inten- 
sional  properties  of  programs,  we  return  to  the  tree  product  computations.  In  the 
following  we  assume  O  is  a  subset  of  {Car,  Cdr,  *}  and  D  is  the  primitive  derivation 
sequence  defining  count(O). 
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7.4.1.  Analysis  of  the  recursive  tree  product  pfn 

We  begin  with  the  simple  recursive  pfn  Tp.  Recall 

>  Tp(x)  e-  if(Atom(x),x,*[Tp(Car(x)),Tp(Cdr(x))]) 

To  analyze  properties  of  Tp  we  define  the  pfns  Cells  and  Nodes  where  for  number 
trees  x,  Cells(x)  is  the  number  of  conses  used  to  construct  x,  and  Nodes(x)  is  the 
number  of  nodes  excluding  the  root. 

>  Cells(x)  4-  if(Atom(x),  0, 1  +  Cells(Car(x))  +  Cells(Cdr(x))) 

>  Nodes(x)  ^  if (Atom(x),  0, 2  +  Nodes(Car(x))  +  Nodes(Cdr(x))) 

The  facts  about  the  computation  of  Tp  given  in  §2  axe  formalized  by  the  theorem 
(T  p.cnt).1 

Theorem  (Tp.cnt): 

(mult)  coimt({*},Tp(x))  =  Cells(x) 

(ad)  cotmf({Car,  Cdr},Tp(x))  =  Nodes(x) 

Proof  (Tp.cnt):  Define 

>  TpCnt(x)  4-  fst(Tp'[0,  x]) 

then  by  the  derivation  theorem  we  need  only  show 

O  =  {Car,  Cdr}  TpCnt(x)  =  Nodes(x) 

O  =  {*}  =>  TpCnt(x)  =  Cells(x) 

This  is  follows  by  an  easy  induction  on  number  trees  from  the  lemma  (tpcnt). 
^T  p.cnt 

Lemma  (tpcnt): 

TpCnt(x)  =  if(Atom(x),0,  Dcnt(TpCnt(Car(x)))  +  TpCnt(Cdr(x))) 
where 

o  Dcnt(x)  4-  D(T,  D(Cdr,(D(Car,x)))) 

Note  that  the  expression  T p(x)  denotes  a  dtree  in  expressions  such  as  count({ *},  T p(x)). 
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To  prove  (tpcnt)  we  first  prove  two  lemmas  about  the  derivation  Tp;  of  Tp. 
Lemma  (tpd.eq): 

Tp' [ds,x]  =  if(Atom(x), 

[ds,  x], 

let{[ds,xa]  -eTp'[D(Car,ds),  Car(x)]} 
let  {[ds,  xd ]  +  Tp'^OTr,  ds),  Cdr(x)]} 

[D(*,  ds),  *[xa,  x<i]]) 


Lemma  (tpd.sum): 

T p '[ds,  x]  2  let{[d,  y]  +  Tp'[0,  x]}[ds  +  d,  y] 

Proof  (tpd.eq):  By  assumption  we  have  D(r)  =  I  for  r  in  Rules  -  {Car,  Cdr  *]• 
Thus  .  ^ 

(l.a)  Car(x)  =  [D(Car,  ds),  Car(x)]  ;;  (dop.der.o.app) 

(l.b)  Cdr(x)  —  [D(Cdr,  ds),  Cdr(x)]  ;;  (dop.der.o.app) 

(l.c)  *  [^o^l]D  = 

;;  (dop.der.cart),  (dop.der.s.app),  defn  *' 

Tp(Car(x))D  =  Tp  [D(Car,  ds),  Car(x)]  ;;  (dop.der.s.app),  (l.a) 
Tp(Cdr(x))D  =  Tp  [D(Cdr, ds),  Cdr(x)]  ;;  (dop.der.s.app),  (l.b) 

*P" p(Car(x)),  Tp(Cdr(x))]°  ^  let{[ds,  xa]  Tp'[D(C^,  ds),  Car(x)]} 

let{[ds,  xd)  +  Tp'[D(Gh,  ds),  Cdr(x)]} 
[D(*,ds),*[xa,xd]] 


(l.d) 

(l.e) 

(l.f) 


;;  (l.c,d,e) 
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(l.g)  Tp '{ds,  x }  £  if  (Atom(x),  [ds,  x],  *[Tp(Car(x)),  Tp(Cdr(x))]D) 

;;  (der.rec)  applied  to  Tp 
=  if(Atom(x), 

[ds,x], 

let{[ds,xa]  -*-Tp'[D(Car,  ds),  Car(x)]} 
let{[<£s,Xd]  -«-Tp'[D(Cdr,  ds),  Cdr(x)]} 

[□(*,  tf5),*[xa,x(i]]) 

;;  (if.op),  (l.f) 

^tpd.eq 

Proof  (tpd.sum):  by  induction  on  number  trees 
Case  (Atom(x)): 

Tp^dSjX]  =  [ds,x]  ;;  (tpd.eq) 

—  let{[d,  y]  -<-[0,x]}[ds  +  d,  y])  ;;  (letv)  and  arithmetic 

—  Iet{[d,  y]  -e  Tp'[0,x]}[ds  -f  d,y ])  ;;  (tpd.eq) 

Case  (->Atom(x)): 

Tp'[ds,x]  =  let{[ds,xx]  Tp'[D(Car,  ds),  Car(x)]} 
let{[ds,yy]  -eTp'[D(Cdr,ds),  Cdr(x)]} 

[D(*,  ds),  *[xx,  yy]])  ;;  (tpd.eq) 

=  let{[ds, xx]  let{[da,xa]  -<-Tp'[0,  Car(x)]}[D(Car, ds)  +  da,xa]} 
let{[ds,xx]  let { [cij,  xj]  -«-Tp'[0,  Cdr(x)]}[D(Cdr,  ds)  +  dd,Xd]} 
[D(*,  ds),  *[xx,  yy]])  ;;  induction  hypothesis 

=  let{[da,xa]  -<-Tp'[0,  Car(x)]}let{[ds,  xx]  -e[D(Car,  ds)  +  <fa,xa]} 
let{[d<i,  xd]  -<-Tp'[0,  Cdr(x)]}let{[ds,yy]  -«-[D(Cdr,  ds)  +  d^.x,*]} 
[D(*,  ds),  *[xx,  yy]])  ;;  let. perm 

=  let{[da,xa]  -eTp'[0,  Car(x)]} 
let  { [dd ,  xd )  Tp' [0 ,  Cd r(x )] } 

[ds  +  Dcnt(da  +  dd),  *[xa,  ya]]) 

;;  (letv),  defn  Dent,  arithmetic 
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!et{[d,  y]  -<-Tp'[0,x]}[ds  +  d,  y } 

=  let{[d,  y]  ■+ 

•et{[d0,xx]  -«-Tp'[D(Car,0),  Car(x)]} 
let{[d0,yy]^Tp'[D(Cd^,do),Cdr(x)]} 

[D(*,d0),*[xx,yy]]} 

[ds+d,y]  ;;  (tpd.eq) 

—  Iet{[d0,xx]  Tp'[D(Car,0),  Car(x)]} 
let  {[do,  yy]  -e  Tp'[D(cTr,  d0),  Cdr(x)]} 

[ds  +  D(*,do),  *[xx,  yy]]  ;;  (let. perm, letv) 

-  Iet{[<* 0,  XX]  -e  let{[da,  xa]  +  Tp'[0,  Car(x)]}[D(C^,  0)  +  d0,  xa}} 
let{[d0,yy]  +  ^{[d^xrf]  +  Tp'[0,  Cdr(x)]}[D(Cd~r,  d0)  +  dd,xd]} 
[d^  +  D(*,do),*[xx,yy]]  ;;  induction  hypothesis 

=  Iet{[da,xo]  +  Tp'[0,Car(x)]} 

\*{[dd,xd]  +  Tp'[0,C<ir(x)}} 

[ds  +  Dcnt(d0  +  dd ),  *[xa,  x^]] 

;;  (let.perm,letv),  defn  Dent,  arithmetic 


l^tpd  .sum 
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Proof  (tpcnt):  This  is  an  easy  induction  on  number  trees. 

TpCnt(x)  =  if(Atom(x), 
fst[0,x], 

fst(  let{[ds,  xx]  •+  T p,[D(Car,  0),  Car(x)]} 
let {{ds,  yy]  +  Tp'[D(Cd~r,  ds),  Cdr(x)]} 

[D(*,  ds),  *[xx,  yy]])) 

;;  defn  TpCnt,  (tpd.eq),  (dist) 

=  if(Atom(x), 

°, 

let  {ds  +  fst(Tp'[D(Car,  0),  Car(x)])} 
let  {ds  +  fst(Tp'[D(Cdr,  ds),  Cdr(x)])} 

D  (*,ds)) 

;;  fst  laws 
=  if(Atom(x), 

0,  _ 

let  {ds  let{dsi  -<-fst(Tp'[0,  Car(x)])}D(Car,0)  +  ds\)} 

let{ds  Iet{ds2  -efst(Tp'[0,  Cdr(x)])}D(Cdr,  ds)  +  ds2)} 
D  (*,ds)) 

;;  fst  laws,(tpd.sum) 

=  if(Atom(x), 

°, 

let{ds  D(Car,  0)  +  T pCnt(Car(x))} 
let{<£s  ■+  D(Cdr,  ds)  +  T pCnt(Cdr(x))} 

D  (?,*)) 

;;  (let. perm, letv),  defn  T pCnt 
=  if(Atom(x),  0,  Dcnt(TpCnt(Car(x)))  +  TpCnt(Cdr(x))) 

;;  arithmetic 
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<.4.2.  Analysis  of  the  escaping  tree  product  pfn 

The  analysis  of  Tps  is  similar  to  that  of  T p.  Below  we  outline  the  main  points. 
First  recall  that  Tps  is  defined  by 

>  Tps(x)  *-  note(c)Ts(x,c) 

»  Ts(x,  c)  -  if(Atom(x),  if (Zerop(x),  c(0),  x),  Ts(Car(x),  c)  *  Ts(Cdr(x),  c)) 

To  analyze  properties  of  Tp  we  define  the  pfns  CellsB  and  NodesB  where  for  number 
trees  x,  CellsB (x)  is  the  number  of  cells  whose  subtree  occurs  before  the  first  zero 
in  a  depth-first  traversal  of  x,  and  NodesB(x)  is  the  number  of  nodes  visited  before 
discovering  the  first  zero.  CellsB  and  NodesB  are  defined  by 

>  CellsB(x)  if(Atom(x), 

0, 

if(lnz(Car(x)), 

CellsB(Car(x)), 

if(lnz(Cdr(x)), 

CellsB(Car(x))  +  CellsB(Cdr(x)), 

1  +  CellsB(Car(x))  +  CellsB(Cdr(x))))) 

>  NodesB(x)  <—  if(Atom(x), 

0, 

if(lnz(Car(x)), 

1  +  NodesB(Car(x)), 

2  +  NodesB(Car(x))  +  NodesB(Cdr(x))))) 

The  facts  about  the  computation  of  T ps  given  in  §2  are  formalized  by  the  theorem 
(Tps.cnt). 

Theorem  (Tps.cnt): 

(mult)  cotmt({*},  Tps(x))  =  CellsB(x) 

(ad)  coimt({Car,  Cdr},  T ps(x))  =  NodesB(x) 

Proof  (Tps.cnt):  Define 

>  TpsCnt(x)  <—  fst(Tps,[0,x]) 
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then  by  the  derivation  theorem  we  need  only  show 

(TpsCnt.mult)  O  =  {*}  =»  Tp$Cnt(z)  =  CellsB(z) 

(TpsCnt.ad)  O  =  {Car,  Cdr}  =>•  TpsCnt(z)  =  NodesB(z) 

For  this  we  define  two  auxiliary  pfns  TsD  and  B4. 

>  TsD(z)[ds,c]  ♦—  if(Atom(z), 

if(Zerop(i),c(x),i), 

.(Ts(Car(x),c),Ts(Cdr(x),c)])D 

>  B4(z,d)  <—  if(Atom(z), 

d, 

if(lnz(Car(z)), 

B4(Car(z),  D(Car,  d )), 
if(lnz(Cdr(z)), 

B4(Cdr(z),  D(Cdr,  B4(Car(z),  D(Q,  d)))), 

D(*,  B4(Cdr(z),  D(Cd~r,  B4(Car(z),  D(C?r,  d)))))  ))) 

By  the  derived  recursion  theorem  and  assumptions  on  D  we  have 

Tps'[ds,z]  =  (note(c)Ts(z,c))D  =  note(c)(Ts(z,c))D  =  note(c)TsD(z)[ds,  c]) 

B4  is  a  counter  that  generalizes  CellsB  and  NodesB  and  we  have  the  following 
Lemma  (TsD.cnt):  For  z  €  NTree  d  €  Dint,  c  €  Co 

(0)  O  =  {Car,  Cdr}  =>•  B4(z,d)  =  NodesB(z)  +  d 
O  =  {*}  =*>  B4(z,d)  =  CellsB(z)  +  d 

(1)  TsD{z)[d,  c]  =  if(lnz(z),  c[B4(z,  d),  0],  [B4(z,  d),  T p(z)]) 

(2)  Tps'[d,*]  =  [B4(z,d),Tp(z)] 


The  proof  of  (0)  is  an  ordinary  induction  on  number  trees.  The  proofs  of  (1,2) 
follow  the  outline  of  the  proofs  of  (Ts.Tp)  (§6)  and  (Tps.Tp)  (§2).  (TpsCnt.mult) 
and  (TpsCnt.ad)  follow  easily  from  (TsD.cnt).  DTps.cnt 


*.5.  Possible  elaborations 


The  notion  of  simple  derived  property  accounts  for  many  of  the  intensional 
properties  of  computations  of  interest.  There  are  several  possible  elaborations  that 
would  allow  even  more  to  be  expressed. 

First  note  that  we  cheated  slightly  in  saying  that  the  maximum  stack  depth  is 
an  s.d.p.  Namely  it  is  Cdr  of  the  s.d.p.  defined  in  the  proof  of  (max.stack).  To  fix 
this  we  generalize  s.d.p.s  to  be  given  by  a  primitive  derivation  D,  an  initial  value 

a,  and  an  output  function  p.  Then  the  given  derived  property  of  a  computation 
sequence  E  is  p(ED (a)). 

We  can  also  generalize  the  class  of  primitive  derivations.  One  possibility  is  for 
primitive  derivations  to  take  an  encoding  of  the  computation  state  as  an  argument 
(from  which  the  rule  applied  can  be  deduced).  This  would  allow  a  more  complete 
trace  to  be  defined  which  includes  for  example  not  only  the  data  operation  names 
but  also  the  arguments.  Also  deriving  functions  for  data  operations  could  make 
the  cost  of  the  operation  depend  on  the  argument. 

Another  possibility  is  to  add  more  structure  to  objects  such  as  forms  and  pfns. 
For  example  one  could  add  tags  to  As  and  to  data  operations  so  that  different 
occurrences  could  be  distinguished.  This  trick  was  used  by  [Wegbreit  1976]  in  an 
intensional  analysis  of  programs. 
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8.  Conclusions 

We  have  developed  an  intensions!  semantic  theory  of  function  and  control 
abstractions  and  illustrated  the  use  of  this  theory  for  programming  and  for  proving 
both  intensions!  and  extensions!  properties  of  programs. 

The  extensional  theory  is  based  on  the  notions  of  operational  approximation, 
equivalence,  and  membership.  Operational  approximation  is  a  partial  ordering 
that  abstracts  the  “less  defined  than”  relation  and  has  many  of  the  properties  of  the 
partial  ordering  in  the  graph  model  of  the  lambda  calculus  [Scott  1976],  including 
extensionality,  restricted  eta,  and  the  least-fixed  point  property  of  the  recursion 
operator.1  The  operational  membership  relation  allows  one  to  express  definedness 
and  descriptive  type  information.  These  relations  together  with  mechanisms  for 
defining  subsets  of  the  value  domain  axe  the  basis  for  a  rich  theory  for  expressing 
properties  of  programs.  The  theory  presented  is  first-order  except  for  the  reliance 
on  semantic  definitions  of  sets  of  values.  This  can  be  fixed  by  talcing  the  approach 
of  [Feferman  1975,79,85]  to  develop  a  first-order  theory  of  operations  and  classes 
over  a  computational  universe. 

The  intensional  theory  is  based  on  the  notion  of  derived  property.  Derived 
properties  of  programs  can  be  obtained  by  “instrumenting”  the  operational  seman¬ 
tics.  Computation  of  derived  properties  of  programs  can  be  thought  of  as  a  “non- 
standard”  interpretation  of  programs.  Programs  can  be  transformed  uniformly  to 
compute  derived  properties  and  hence  reduce  reasoning  about  derived  properties 
to  reasoning  about  ordinary  programs.  We  gave  a  systematic  transformation  for 
obtaining  derived  programs  based  on  a  particular  form  of  definition  of  derived 
property.  More  generally,  one  could  obtain  derived  programs  by  specializing  an 
instrumented  interpreter,  and  a  transformation  from  programs  to  corresponding 
derived  programs  could  then  be  obtained  by  specializing  the  specializes  These  are 
examples  of  a  general  technique  known  as  partial  evaluation  (cf.  [Jones,  et.  al. 
1989]). 

Although  we  obtained  our  extensional  theory  of  function  and  control  abstrac¬ 
tions  by  starting  with  the  Rum  semantic  theory  and  extracting  the  key  laws  as 
axioms  one  could  also  take  the  view  that  these  axioms  characterize  a  class  of 
models  {Rum  being  one  such  model)  and  investigate  this  class  of  models  in  more 
depth.  Such  an  investigation  would  build  on  the  work  of  [Moggi  1986,  1989].  Also, 
the  operational  semantics  and  derived  properties  or  other  non-standard  interpre¬ 
tations  can  be  considered  as  models  of  a  common  semantic  language  sharing  some 
basic  axioms.  Thus  we  can  structure  the  variety  of  interpretations  of  programs  in 


1  For  further  discussion  of  the  relation  between  operational  approximation  and  the  partial 
ordering  induced  by  interpretation  in  Scott  type  domains  see  [Plot kin  1977]. 
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an  algebraic  framework  for  programming  language  theories.  Preliminary  ideas  for 
setting  up  such  a  framework  are  presented  in  [Talcott  1989]. 

An  alternative  approach  to  equational  reasoning  about  function  and  control 
abstractions  is  given  in  [Felleisen  and  Friedman  1986,  Felleisen  1987,  Felleisen 
et.  al.  1987].  Here  lambda- v-c  equivalence  is  defined  by  a  two-level  equational 
calculus  derived  from  an  abstract  machine  similar  to  our  state-transition  semantics. 
Operational  equivalence  includes  lambda-v-c  equivalence  and  the  rules  generating 
lambda-v-c  equivalence  are  provable  in  our  theory. 

Reduction  calculi  and  operational  approximation  both  provide  a  sound  basis 
for  purely  equational  reasoning  about  programs.  Calculi  have  the  advantage  that 
the  reduction  relations  are  inductively  generated  from  primitive  reductions  (such 
as  beta-conversion)  by  closure  operations  (such  as  transitive  closure  or  congruence 
closure).  Equations  proved  in  a  calculus  continue  to  hold  when  the  language  is 
extended  to  treat  additional  language  constructs.  Operational  approximation  is, 
by  definition,  sensitive  to  the  set  of  language  constructs  and  basic  data  available. 
For  example,  in  the  call-by-value  lambda  calculus  with  only  algebraic  operations, 
a  do-forever  loop  is  equivalent  to  the  totally  undefined  function,  for  any  value  of 
its  function  parameter.  But  in  the  presence  of  control  abstractions  that  provide 
a  mechanism  for  escaping  from  or  forgetting  the  current  computation  context, 
until  loops  can  be  defined  using  the  do-forever  loop  (cf.  [Talcott  85,  Chapter- V]). 
[Mason  and  Talcott  1989b]  give  examples  of  change  in  operational  equivalence 
when  memory  and  updating  is  introduced.  Using  operational  approximation  we 
can  express  and  prove  properties  such  as  non- termination,  computation  induction, 
and  least  fixed-points,  which  cannot  even  be  expressed  in  a  reduction  calculus 
framework.  Finding  the  correct  balance  between  insensitivity  to  extensions  of  the 
language  and  the  expressive  power  of  operational  approximation  is  an  important 
problem.  Studying  the  laws  of  operational  approximation  and  discovering  natural 
extensions  to  reduction  calculi  provide  useful  insight  into  this  problem. 

In  addition  to  function  and  control  abstractions,  Lisp-  and  Scheme-like  lan¬ 
guages  also  provide  primitives  for  creating  and  manipulating  objects  with  memory. 
[Mason  and  Talcott  1985]  gives  a  semantics  of  a  language  of  first  order  recursion 
equations  acting  on  objects  with  memory  (Lisp  list  structures)  and  gives  many  ex¬ 
amples  of  proving  program  equivalence  based  directly  on  this  semantics.  [Mason 
19S6]  builds  on  this  work.  A  model- theoretic  equivalence  called  strong  isomor¬ 
phism  is  introduced  and  used  as  the  basis  for  studying  program  equivalence  and 
transformational  programming.  Two  expressions  are  strongly  isomorphic  if  for  any 
environment  and  memory  they  are  either  both  undefined  or  both  reduce  to  the 
same  value  and  have  the  same  effect  on  memory  modulo  production  of  garbage. 
Several  decidability  results  are  given,  the  laws  of  strong  isomorphism  are  studied 
in  some  detail,  and  many  examples  of  proving  program  properties  are  presented 
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including  non-trivial  programs  such  as  the  Robson  copy  algorithm  and  a  struc¬ 
ture  editor  that  edits  destructively  (a  copy  of  the  original  structure).  [Felleisen 
1987,  1988b]  presents  a  two- level  calculus  for  a  scheme-like  language  with  function, 
control,  and  assignment  abstraction.  In  the  basic  language  environments  bind  vari¬ 
ables  to  mutable  objects,  variables  can  not  be  treated  as  values,  and  beta-value 
conversion  is  not  a  valid  rule.  Thus  it  is  necessary  to  have  two  sorts  of  lambda 
variables  -  assignable  and  non-assignable.  To  account  for  memory  and  sharing  the 
syntax  is  extended  to  include  labeled  values.  A  variety  of  examples  of  reasoning 
about  programs  are  given.  It  was  found  necessary  to  extend  the  basic  calculus  in 
order  to  carry  out  some  of  the  examples.  [Mason  and  Talcott  1989b]  gives  an  al¬ 
ternative  approach  to  treating  programs  with  memory  and  function  abstractions. 
Here  the  call-by- value  lambda  calculus  is  extended  by  adding  operations  for  creat¬ 
ing,  accessing,  and  updating  memory  cells.  A  syntactic  representation  of  memory 
is  developed  that  permits  computation  rules  to  be  expressed  by  a  reduction  re¬ 
lation  on  expressions.  This  forms  a  natural  basis  for  equational  reasoning  about 
objects  with  memory.  The  theory  of  operational  approximation  and  equivalence 
for  this  case  was  studied  and  tools  were  developed  for  proving  equivalence.  In 
[Mason  and  Talcott  1989a]  a  formal  system  is  presented  for  proving  constrained 
equivalence  for  programs  with  side  effects.  Constrained  equivalence  is  a  relation 
between  finite  sets  of  constraints  and  a  pair  of  expressions  that  holds  in  the  case 
that  the  expressions  are  strongly  isomorphic  in  all  memory  contexts  satisfying  the 
constraints.  A  constraint  may  require  a  variable  to  be  an  atom  or  cell,  it  may 
require  a  variable  to  be  equal  or  distinct  from  another  variable  or  constant,  or  it 
may  require  some  component  of  the  contents  of  a  variable  ranging  over  cells  to  be 
equal  to  some  variable  or  constant.  The  deduction  system  is  complete  for  first- 
order  expressions  that  contain  no  occurrences  of  recursively  defined  functions  and 
a  decision  procedure  has  been  extracted  from  the  proof  of  equivalence.  In  the  first- 
order  fragment  strong  isomorphism  is  the  same  as  operational  equivalence.  In  the 
full  higher-order  case  strong  isomorphism  implies  operational  equivalence  (but  not 
conversely)  and  methods  for  proving  strong  isomorphism  are  useful  for  large  classes 
of  problems  even  in  the  higher-order  case.  [Mason  and  Talcott  1989c]  gives  many 
examples  of  applications  of  the  theory  developed  in  [Mason  and  Talcott  1989a, b] 
including  extending  first-order  examples  to  the  higher-order  case,  traversing  struc¬ 
tures  for  effect,  relating  objects  and  behavior  descriptions,  and  memoizing  thunks 
and  streams.  More  complete  surveys  of  reasoning  about  programs  with  memory 
can  be  found  in  [Mason  1986]  and  [Felleisen  1987]. 
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10.  Appendix:  Proofs  and  technical  miscellaney 


This  appendix  collects  proofs  and  discussions  of  technical  issues  that  are  rel¬ 
evant  to  the  development  of  programming  theories  but  not  necessary  for  their 
use. 


10.1.  Properties  of  operational  relations 

We  begin  by  defining  a  family  of  refinements  of  the  operational  relations.  The 
facts  operational  stated  in  §4  are  then  restated  and  proved  in  more  general  form. 

10.1.1.  A  refinement  of  operational  approximation  and  equivalence 

Operational  equivalence  as  defined  in  §5  has  the  property  that  if  two  dtrees 
are  equivalent  then  either  both  are  undefined  or  both  escape  (returning  a  value 
to  the  top  level)  or  both  return  a  value  to  the  calling  context,  independent  of  the 
context.  In  the  case  of  value  returned,  the  values  are  equivalent.  However  in  the 
case  of  escaping,  the  values  returned  to  the  top  level  need  not  be  equivalent.  For 
example  top(Bot)  =  top(l)  both  escape  and  return  pfns  to  the  top  level.  But,  Bot 
and  I  axe  clearly  not  equivalent  values. 

We  can  refine  the  operational  approximation  and  equivalence  relations  to 
obtain  relations  and  =w  that  satisfy  all  the  properties  given  for  C  and  =  and, 
in  addition,  to  have  that  related  dtrees  that  escape  return  related  values  to  the 
top  level.  The  refinement  is  obtained  by  talcing  the  limit  of  a  chain  of  refinements 
of  trivial  approximation  treating  operational  approximation  as  the  first  refinement 
of  trivial  approximation. 

>  (Refini«g  operational  relations):  For  n  €  N,  *  a  dtree,  value  or  state,  and 
a  <  u  (the  le'ast  infinite  ordinal). 

~n  ^  df  top  *  uo  =>  (3ui)(t>0  Vi  A  Ci  >— *•  top  A  Vi)) 

S°  En+1  Si  =  (V7X7  v  60  Cn  7  V  Si) 

af  ' 

Vo  En+1  t>!  =  (V7X7  A  u0  Qn  7  A  Wl) 

di 

Xo  Xl  =  (^n)(X0  En  Xl) 

dl 
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10.1.2.  Proofs  of  easy  consequences 

Theorem  (Pre-order):  Cm  is  reflexive  and  transitive  for  all  m 

Proof  (Pre-order):  An  easy  consequence  of  the  definitions  (using  induction 
on  m).  □ 

Theorem  (Refinement):  If  m  <  n  then  Cn  is  a  subrelation  of  Cm. 

Proof  (Refinement):  Exercise.  □ 

Theorem  (Pointwise): 

Uo  En+1  t>l  =»  luo  I  =  lui  I  A  (Vl  <  |v0  l)(voii  En+1  ^llt) 

Proof  (Pointwise):  Exercise.  □ 

Corollary  (Pointwise):  do  Cm  d\  &  do  =  d\ 

Theorem  (Computational  facts): 

(i)  Co  >—*  Cl  Co  — m  Cl 

(ii)  Co  ►  top  A  U0  A  Cl  >— ►  top  A  l>!  =*  Co  Em  Cl  &  u0  Em  t>l 

Proof  (Computational  facts):  a  direct  consequence  of  the  definitions  and 

the  unicity  of  the  single-step  relation  and  hence  of  evaluation  when  defined.  □ 

Theorem  (Environment  substitution):  If  £o(s)  Cm+1  £i(s)  for  all  s  free  in 
ip  then  (ip  :  £0)  Cm+1  (<p  :  £j). 

Proof  (Environment  substitution):  This  is  an  instance  of  the  substitution 
theorem  below.  However  it  has  a  simple  direct  proof.  Suppose  <f  has  only  one  free 
variable  x  and  £o(x)  Em+i  £i-  Then  for  any  continuation  7 

7  *  (<P  ■■  Co) 

=m  7  0  appc((Ax.t,i?  :  {}))  a  u0  ;;  computation 

Em  7  0  appc((Ax.<y9  :  {}))  a  v\  ;;  since  v0  Cm+i  vi 

=m  7  v  (<P  :  Cl)  ;?  computation 

The  general  case  is  an  easy  induction  on  the  number  of  free  variables  in  f  using 
the  above  argument.  □ 
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10.1.3.  Substitution 

Recall  that  for  any  semantic  entity  (dtrees,  values,  continuations,  and  states) 
X I  1  is  an  entity  with  holes  of  some  sort  (determined  by  context)  and  that  then 
xlxol  is  the  result  of  filling  the  hole  with  xo  when  Xo  is  an  entity  of  the  same  sort 
as  the  holes.  It  is  easy  to  see  that  the  computation  rules  extend  naturally  to  states 
*  with  holes  with  steps  uniformly  parameterized  by  the  holes  except  when  holes  are 
actually  touched.  A  continuation  hole  is  only  touched  if  it  is  the  continuation 
component  of  a  state,  a  dtree  hole  is  only  touched  if  it  is  the  dtree  component  of 
i  a  begin  state,  an  operation  hole  is  only  touched  if  it  is  the  value  part  of  an  appe 

continuation  (see  [Talcott  1985]  V.3  for  a  similar  elaboration). 

Theorem  (Substitution):  If  Xo,Xi  are  dtrees,  continuations,  or  values  such 

that  xo  En+i  Xi  then  xttxol  En+i  xlxij  for  x  any  dtree  or  value  with  holes  of  a 
suitable  sort. 

Corollary  (subst. omega):  If  xo,Xi  are  dtrees,  continuations,  or  values  such 

that  xo  Eu>  xi  then  x[xoJ  Eu,  xlxil  for  x  any  dtree,  value,  or  state  with  holes  of 
a  suitable  sort. 

Proof  (Substitution):  Let  Xo,Xi  be  continuations,  dtrees,  or  operations.  We 
will  prove  by  induction  on  n  that  xo  En+i  Xi  implies 

0)  ClxoJ  En  Clxil  for  any  state  Cl  J  with  holes  of  a  suitable  sort,  and 

(“)  xlxoj  En+i  Xlxij,  for  any  dtree  or  value  x[  1  with  holes  of  a  suitable  sort. 

The  case  Xo,Xi  are  arbitrary  values  follows  easily. 

Clearly,  u[x0J  Eo  u[xij  f°r  any  value  uj  J  with  holes  of  a  suitable  sort.  For 
each  n,  (ii)  follows  easily  from  (i).  By  the  induction  hypothesis,  we  need  only  show 
that  (for  any  n)  xo  En+i  Xi  and  u[xoJ  En  atxij  for  any  value  J  with  holes  of  a 
suitable  sort  implies  Clxo]  En  C[Xi]  for  any  state  Cl  J  with  holes  of  a  suitable  sort. 
This  is  done  in  the  lemmas  below:  (subst. c)  for  the  continuation  case;  (subst. d) 
for  the  dtree  case;  and  (subst. o)  for  the  operation  case.  □ 

Lemma  (subst. c):  If 

■  (ret-hyp)  70  Em+i  7i  (as  values),  and 

■  (top-hyp)  uf7oJ  Em  u|7ij  for  all  values  u|  J  with  continuation  holes 

then  Choi  Em  Chi]  for  all  states  Cl  ]  with  continuation  holes. 

Proof  (subst. c):  By  induction  on  the  length  of  the  computation  of  Choi 

(assuming  defined)  and  cases  on  the  form  of  C[  J. 

Case  (top):  C[  1  has  the  form  top  a  J.  Use  (top-hyp).  D^p 
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Case  (step-unif):  Cl  1  has  one  of  the  forms 

7l  1  0  ifi(M  1»M  1)  *  «[  1 
7l  1  o  appi(<5[  1)  ^  u[  1 
7[  1  0  appc(tf)  A  u|  1 
7l  1  o  carti(5[  ])  *  u[  ] 

7[  1  ocartc(u[  1)  a  u[  ] 

7 1 1  ofstc  a  u|  1 
7[  ]  o  rstc  a  ] 

7[  1  v  41 

Then  there  is  a  state  Co  such  that  Cl  1  > — ►  Col  1  uniformly  (with  out  touching  the 
holes).  By  the  computation  induction  hypothesis  we  have  CoItoJ  Em  Cott7il  and 
by  the  computation  facts  we  are  done.  □step-unif 

Case  (hole):  C[  1  has  the  form  [  ]  a  uf  ].  By  the  top  case  and  uniform  step 
arguments  70  *  u[7oJ  Em  70  a  u[7ij.  By  (ret-hyp)  and  computation 

7o  A  u[7l!  Em  topappi(u|7j|)  *  70  Em  topappi(u[7i])  a  7l  Cm  7l  a  u[7lJ 

'-'hole 

Lemma  (subst.d):  If 
.(ret-hyp)  60  Em+i  4,  and 

•  (top-hyp)  u[£0J  Em  u[4j  for  all  values  uf  |  with  dtree  holes 
then  CIM  Em  CM  f°r  all  states  C[  1  with  dtree  holes. 

Proof  (subst.d):  The  proof  is  analogous  to  the  proof  of  (subst.c).  The  only 
difference  is  the  hole  case.  In  this  case  Cl  1  has  the  form  7[  ]  ^  [  ].  By  the  uniform 
step  argument  7M  v  Em  7M  v  4  and  by  (ret-hyp)  7I61J  v  S0  Em  7M  v 
<5i.  □ 

Lemma  (subst.o):  If 
.(ret-hyp)  i90  Em+i  i?i,  and 

■  (top-hyp)  u[t?ol  Em  u[i9i]  for  all  values  uf  ]  with  operation  holes 
then  CM  Em  CM  for  all  states  Cl  1  with  operation  holes. 

Proof  (subst.o):  Again,  the  proof  is  analogous  to  the  proof  of  (subst.c)  with 
the  only  difference  being  the  hole  case.  Here  C[  1  has  the  form  7  0  appc(f  ])  a  uf  ]. 
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7l  1  0  appc(^o)  *  «[  1  steps  uniformly  to  a  smaller  computation  and  by  (ret-hyp) 
and  computation 

7[i9i!  o  appc(i?0)  A  7[t?1Jappi(u[r?1])  a 

Em  7l^ilappi(u[t?il)  *  J?i 
Em  tM  o  appc(t?i)  a  u^x] 

□ 

10.1.4.  Extensionality  and  recursion 
Theorem  (Extensionality): 

(ext .op)  t90  En+i  t?i  (Vu)(i?0(u)  C„+i  ^(v)) 

(ext.co)  70  Cm+i  7x  (Vv)(y0  *  v  En  7i  *  v) 

Proof  (Extensionality):  The  onlyif  directions  are  instances  of  the  substitution 
theorem.  The  if  direction  follows  from  (ext.op)  and  (ext.co)  (see  below)  by  the 
same  argument  as  for  the  substitution  theorem.  □ 

Lemma  (ext.op):  If 

•  (ret-hyp)  i!?o(v)  Qm+1  t?x(u)  for  all  v,  and 

■  (top-hyp)  u|t90J  Em  u|^ij  for  all  values  ttj  ]  with  operation  holes 

then  CM  Em  CM  f°r  all  states  C[  1  with  operation  holes. 

Proof  (ext.op):  As  in  the  proof  of  (subst.o)  the  only  non-automatic  case  is 
where  Cl  1  has  the  form  7[  J  o  appc([  J)  a  u[  J.  Here  7[  J  o  appc(tfo)  a  u[  J  steps 
uniformly  to  a  smaller  computation  and  by  (ret-hyp)  and  computation 

7M  0  appc(tfo)  a  i*M  Qm  7[i9xJ  v  ^0(u[^i]) 

Em  7M  v  t?i(u[t?xj) 

Ern  tIM  0  appeal)  A  ufi?x] 

□ 

Lemma  (ext.co):  If 
» (ret-hyp)  70  a  v  Cm  71  a  v  for  all  v,  and 

•  (top-hyp)  u|7oJ  Em  u|7ij  for  all  values  u|  ]  with  continuation  holes 
then  CI70J  Em  Cl7i]  f°r  all  states  C[  1  with  continuation  holes. 
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Proof  (ext.co):  As  in  the  proof  of  (subst.c)  the  only  non-automatic  case  is 
where  £|  ]  has  the  form  |  ]  a  u[  ].  By  the  top  case  and  uniform  step  argument 
7o  *  «[7o]  Em  7o  A  «[7i]  and  by  (ret-hyp)  j0  *  «[7iJ  Em  7i  A  “hi]-  □ 

Theorem  (Recursion):  Let  t?  be  a  closure  of  XfXx.ip  then  the  recursion  op¬ 
erator  Rec  computes  the  least  fixed-point  of  i9  with  respect  to  each  refinement  of 
the  operational  approximation  ordering.  I 

(fix)  Rec(i?)  £m+1  t?(Rec(t?)) 

(min)  t?(t?0)  Em+i  t?o  =►  Rec(tf)  Cm+1  i90 


Proof  (Recursion): 

Case  (fix):  by  computation  Rec(i9)(u)  =m+i  t?(Rec(t9))(u)  for  any  v.  Now  use 
extensionality. 

Case  (min):  By  (rec. min)  (see  below)  and  the  argument  used  in  the  proof  of 
the  substitution  theorem  we  show  (by  induction  on  m)  that  (|Rec(t9)]  Cm  £|tf0)] 
for  any  state  Cl  1  with  operation  holes,  and  ufRec(t?)J  Cm+i  u[t?o)J  for  any  value 
uj  J  with  operation  holes.  □ 

Lemma  (rec.min):  Assume  $  is  a  closure  of  XfXx.tp.  If 
.(ret-hyp)  *9(tf0)  Em+i  do,  and 

•  (top-hyp)  u|Rec(d)|  Cm  tt|[dol  for  all  values  u[  J  with  operation  holes 

then  C[Rec(d)]  Cm  Cl^oJ  for  all  states  £[  J  with  operation  holes. 

Proof  (rec.min):  As  in  the  proof  of  (subst.o)  the  only  non-automatic  case  is 
where  C[  1  has  the  form  7|  |  o  appc(|  ])  a  u|[  ].  Assume  that  d  =  (Xf.Xx.ip  :  f). 
Then 

7[Rec(d)J  o  appc(Rec(d))  a  u|[Rec(d)] 

Em  7|[Rec(d)]  v  (v5  :  £{/  -+■  Rec(d),  x  •+■  ii[Rec(i9)]})  ;;  computation 

Em  7[do)l  v  (v5  :  £{/  do,  £  u|do|})  ;;  induction  hypothesis 

— m  7l^ol  0  appc(d(t?o))  A  ujdoj  ;;  computation 
Em  7W  0  appc(t?0)  A  u|t90J  ;;  (ret-hyp) 


□ 
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* 


We  have  defined  a  sequence  of  refinements  of  operational  approximation  Cn. 
The  motivation  for  developing  these  refinements  was  that  while  we  have  Xo  Ei  Xi 
implies  X[Xol  Ei  xlxil  f°r  Xo?Xi  dtrees,  values,  or  continuations  and  xi  ]  a 
dtree  or  value  with  holes  of  a  suitable  sort,  it  is  not  the  case  that  under  the  same 
assumption  Clxol  Qi  C[XiJ  for  any  state  Cl  1  with  holes  of  suitable  sort.  Thus 
distinguishable  values  can  be  returned  by  ‘indistinguishable’  dtrees.  This  holds 
for  each  refinement  Cn+1.  However,  by  taking  the  intersection  of  this  chain  of 
approximations  we  have  an  approximation  relation  such  that  for  xo,Xi  are 
dtrees,  values,  or  continuations  Xo  Ew  Xi  implies  xlxoj  Ew  xlxi]  for  X|  ]  any 
dtree,  value  or  state  with  holes  of  a  suitable  sort. 

It  is  not  clear  what  the  importance  of  this  refinement  is  for  our  language,  since 
all  of  the  properties  we  need  for  our  theory  hold  for  each  Cn+1,  i.e.  Ca  provides  a 
model  for  the  theory  for  any  a  with  1  <  a  <  u.  However  the  ability  to  refine  may 
become  important  in  the  case  of  languages  which  have  composable  continuations  or 
the  ability  to  delimit  the  scope  of  continuation  capture  and  aborting  ( cf.  fFelleisen 
1988a],  [Danvy  1989]). 


10.2.  Proofs  of  some  simple  derived  laws 

Here  we  fill  in  the  details  for  proof  of  the  “simple  derived  laws”  given  in  the 
§5. 

Theorem  (Laws  about  functions): 


(lam.abs) 
(op. eta) 
(cmps.id) 
(cmps. assoc) 
(bot) 


(Vs  €  V*)(y>0  =  <pi)  ^  Xx.tpo  =  A x.ipi 
/  €  O  =*  A z.f(z)  £  / 

/€©=>•  lo/a/a/oi 

(fog)oh^fo(goh) 

9  €  O  =>  Rec(A/.As./(s))  C  g 


Proof  (lam.abs):  Assume  (Vs  €  V*)(<^o  —  <fi)  then  by  (letv) 

(As.<^0)(s)  Sf  v?0  2  v?i  S  (As.Vl)(s) 
for  all  s  and  by  (op.ext)  we  are  done.  □ 

Proof  (op.eta):  Assume  /  €  O  then  by  (letv)  (A z.f(z))(z)  2  f(z)  and  by 

(op.ext)  we  are  done.  □ 

Proof  (cmps. id, cmps. assoc):  by  computation  and  (op.ext).  □ 
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Proof  (bot):  by  (rec.min)  since  by  (op. eta)  ( A/.Ax./(x))(y )  =  g.  □ 
Theorem  (If  laws): 

(if.sort)  <po  €  Uq  A  €  U\  ^  if(z, <po, <pi)  eUoUUi 
(if.elim)  if  (z,  </?,  <p)  =  <p 

(if.perm)  if(x,if(y,v?a,  v?b),if(y,<^c,V?d))  =  i%,'f(z,V?a^c)jf(s,Y’b,<Ai)) 
(if.lam)  \x.tf(z,tpi,<P2)  —  if(z,  Ax.^i,  Ax.^2) 

(if.subst)  (ip  €  V+  =*►  pi  =  t/?3)  A  (</?  =  mt  =*«  y>2  =  <^4)  A  €  V* 

Proof  (if.sort):  by  vcases.  Assume  i/?o  €  £/o  and  p>\  €  U\  then 
Case  (z  =  mt):  by  (ifmt)  and  inlaws  if(z,<,Po, P\)  —  Po  €  Uq  U  U\. 

Case  ( z  €  V+):  by  (ifnmt)  and  inlaws  if(z,  y>a,  </>i)  —  <fii  €  U  f/i .  □ 

Proof  (if.elim):  by  vcases 

Case  (z  =  mt):  if(z,  p,<p)  =  <p  hy  (ifmt) 

Case  ( z  €  V+):  if (z,tp,cp)  =  <p  by  (ifnmt)  □ 

Proof  (if.perm):  by  vcases  using  if  laws.  □ 

Proof  (if.lam):  by  vcases  using  (op. ext).  □ 

Proof  (if.subst):  Assume  <p  €  V+  ^  =  <^>3,  p>  =  mt  =$>  <p2  =  p>\  and 

<p  €  V*.  Then 

<p  €  V+  =►  if (<p,ipup2)  =  <pi  =  <p3  =  if(v?,<^3,94) 

and 

=  mt  =>  if(y>, 9i,v?2)  =  P>2= 

and  by  vcases  we  are  done.  [Note  that  the  hypothesis  <p  £  V*  was  needed  in  order 
for  vcases  to  apply.]  □ 

Theorem  (Cart  laws): 

(cart. assoc)  [[p0,  v?i],  P2]  =  [<y?o,  [v?i > ^2]] 

(fst.rst)  ieV+  ^  fst[x,y]  =  fst(x)  A  rst[x,y]  =  [rst(x),y] 
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Proof  (cart. assoc):  Choose  fresh  c,  x,y,x  with  c  €  Co  then  by  the  caxt  com¬ 

putation  laws 

cQKv’o,  <Pi],<P2])  —  (c  o  carti(<^2)  o  carti((/?1))(</?0) 

c([^o,[v?i,V?2]])  =  (cocartifl^^DXy’o) 

(c  o  carti(y>2)  o  carti(y>i))(x)  =  (c  o  carti(<,c>2)  o  cartc(x))(y>1 ) 
(cocarti([¥>1,¥?2]))(x)  *  (co  cartc(x)  o  carti(92 
(cocarti(<^2)ocartc(x))(y)  £  (c  o  cartc([x,  y]))(^2) 

(c  o  cartc(x)  o  carti(<p2))(y)  =  (co  cartc(x)  o  cartc(y))(</?2) 

(cocartc([x,y]))(x)  Zc[[x,y],z] 
and 

(c  o  cartc(x)  o  cartc(y))(z)  £  c[x,  [y,  z}} 

hence  by  (op. ext),  (c.ext)  and  the  basic  caxt  laws  we  axe  done.  □ 

Proof  (fst.rst):  Assume  x  €  V+  then 

fst(x)  €  V  ;;  in  laws 

■fst[ar,  j/]  =  fst[fst(x),  [rst(x),  y]]  =  fst(x)  ;;  cart  and  in  laws 
rst[x,y]  =  rst[fst(x),  [rst(x),  y]]  =  [rst(x),y]  ;;  cart  and  in  laws 

□ 

Theorem  (Note  laws): 

(note.triv)  note(c)y>  =  <p  ;;  c  not  free  in  9 
(note. id)  note(c)c(<^?)  =  ip  ;;  c  not  free  in  <p 

(note. esc)  c  €  Co  =»  c  o  (Ax.note(c)<p)  =  c  0  (Ax.ip) 

(note.ren)  note(c)note(c')y?  Si  not e(c)ip{c'/c} 

Proof  (note.triv):  by  (c.ext)  since  by  computation  c(note(c)9)  —  c(<^).  □ 

Proof  (note. id):  by  (c.ext)  since  by  computation  c(note(c)c(<,e>))  =  c(c(iz>)) 

and  by  (sw *)  c(c(y?))  S  c(^>).  □ 

Proof  (note. esc):  by  (op. ext)  since  by  computation  we  have 

(c  o  Ax.not e(c)v?)(x)  Si  c(note(c)<p)  Si  c(< p)  Si  (c  0  \x.<p)(x) 
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□ 

Proof  (note.ren):  by  (c.ext)  since  by  computation  we  have 

c(note(c)note(c')v?)  =  c(note(c»  *  c(<p{c'/c})  £  c(note(c)v?{c7c}) 

□  I 

10.3.  Proof  of  context  motion  theorem 

i 

Theorem  (context  motion):  Let  C  be  an  evaluated  position  context  and  let 
c  range  over  continuations.  Assume  Frees[>p,  x,  c,  k]  D  trap(C)  =  0  and  x,  k  are  not 
free  in  C.  Then 

(letx)  let{x  -e  <^}C[xJ  £  C%] 

(escape)  C|[c(9?)J  £  c(<p) 

(let.dist)  Clletlx-f^}^!  =  let{x 

(if.dist)  C'|if(v?,v»i,v>2)l  S  i%,CM,CM) 

(note.dist)  Cfnote^ol  =  note(A:)let {A:  +  ko  \x.C{x\}CIwq\ 

We  begin  with  proofs  of  lemmas  that  correspond  to  special  cases  and  required  for 
the  base  case  in  the  induction  on  context  structure. 

Lemma  (sw’):  c,c'  €  Co  =*  c(c'(<^))  £  c'(<p) 

Proof  (sw  ):  Assume  c,c'  €  Co  then  c(c'(<p))  =  c  o  appc (c')(<p)  by  (app,appi); 

c  o  appc(c  )(x)  £  c(c'(x))  £  c'(x)  by  (app,appi)  and  (sw);  and  c  o  appc(c')  £  c' 
by  (op. ext).  □sw, 

Lemma  (esc.arg):  c  €  Co  =>  f(c{<p))  £  c(tp) 

Proof  (esc.arg):  4 

c'{ /( c(lf))  —  c'  o  appc(f)(c(<p))  ;;  computation 

—  c(v)  ;;  (sw’) 

—  ^(v5))  ;;  (sw’) 

hence  by  (c.abs)  we  are  done.  Desc.arg 

Lemma  (if.arg):  /( i%0,^,^2)  £  if(<A),/(^),/(Y?2)) 
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Proof  (if.arg):  By  computation 

c(/('f 0po,9i»V2))  =  coappc(/)  oifi(<^1,V)2)(^o) 
cOffaoj/fai),/^)))  -  co  ifi(/(y>1),/(^2))(^0) 

x  S  mt  =>  c  o  appc(/)  o  ifi(v?i ,  y>2)(x)c  o  appc(/)(v?2 )  S  c  o  ),  /(^2 ))(*) 

x  6  V+  coappc(/)  o  ifi(¥>i,(,P2)(x)c  o  appc(/)(<lp1)  =  coifi(/((li51),/(^2))(x) 
Thus  by  value  cases 

c  0  appc(/)  0  ,  <p2)(x)  S  c  o  ifi(/(v?i ),  f((p2))(x) 

and  by.(c.ext)  and  (op.ext)  (taking  c,x  fresh)  we  are  done.  Djr 
Lemma  (note.if):  If  c  is  not  free  <po  then 

note(c)if(^?o,  =  if(<^o,  note(c)iplf  note(c)<p2) 

Proof  (note.if):  By  computation  we  have 

(i)  c(note(c)if(y?0,¥>i,  92))  =  coifi(^1,^2)(^0) 

(ii)  c(i%0,  note(c)v?i,  note(c)v>2))  S  c  0  ifi(note(c)v?i,  note(c)v?2))(v?o) 

(iii)  x  =  mt  =*•  co  ifi(<^i,  v?2)(x)  =  c(y>2)  =  co  ifi(note(c)y?i, note(c)<^2))(x) 

(iv)  x  €  V+  =^-  co  ifi((101,(1si2)(x)  ^  c(v?i)  =  co  ifi(note(c)y>i,note(c)!,i?2))(x) 

Thus  by  value  cases  we  have 

co  ifi((^i, *Pi)(x)  =  co  ifi(note(c)y?i,  note(c)y?2))(x) 

and  by  (c.abs)  (using  c  not  free  in  90)  and  (op.ext)  we  are  done.  if 

Lemma  (note.arg):  /  €  ©  =>  /(note(c)v?)  =  note(c)let{c  +  co  f}f(tp) 

Proof  (note.arg):  Assume  /  €  O  then  by  computation 

c(/(note(c)v?))  =  (c  0  appc(/))(note(c)v?) 

=  (co  f)(note(c)<p)  ;;  using  (op.eta)  Xx.f(x)  “  / 

—  (c  0  /)(let{c  +  co  /}v?) 

—  c(/(let{c -t-co  /}</>)) 

=  c(let{c-<-co  /}/(<£>))  ;;  two  applications  of  (letv) 

—  c(note(c)let{c  +  co  f}f(<p)) 
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and  by  c.abs  we  are  done  Dnote.arg 

Corollary  (note. let):  Taking  /  =  Xx.ipo  with  c  not  free  in  <po  we  have 

let{x  note(c)(/?}(^o  =  note(c)let{c  +  co  Ax.</?o}let{x  -+•  p}<Po 

Proof  (letx):  Assume  Frees[x,<p o]  H  trap(C)  =  0  and  x  is  not  free  in  C.  We 
prove 

let{x  ■«-  Vo}C\x\  £  C\tp oj 

by  induction  on  construction  of  C .  We  consider  a  few  sample  cases. 

Case  (I  ]):  let{x  <p0}x  =  <p0  by  (id).  □ 

Case  (Co(<^i)):  Choose  fresh  c  €  Co  then  by  computation  and  induction  hy¬ 

pothesis 

c(let{x  -e  v>o}Co|[x]l(v?i))  -  (c  0  appc(Ax.C0[*l(^i)))(^o) 

c(CoM(vi))  =  (c  o  appi(y>i))(C0[9ol) 

=  (c  o  appi(v?i))((Ax.C0  IxJ)(v?0)) 

=  (c  o  appi(^i)  o  appc(Ax.C0[xJ))(<^o)) 
c  o  appi(<lc1)  o  appc(Ax.C0|x])(x)  =  c  o  appi(<^i)C0|[xJ 

-to  appc(Ax.Co[x](<^i))(x)  ;;  using  x  not  free  C[] 
and  by  (c.ext,  o.ext)  we  are  done.  □ 

Case  (if(u,  Ci,  C2)):  by  vcases  Assume  v  =  mt  then  by  computation  and  in¬ 
duction  hypothesis 

let{x-e9o}if(u,Ci[x],C2|[x])  =  letfx-e^oJC^IxJ 
—  C2fo>ol 

—  ^(l7iC'iI(^ol>C2|</?ol) 

Similarly  we  have 

u  €  V+  =»  let{x-ev’o}if(u,Ci[[xl,C2|Ix|)  ^  if(u,Cil9ol,C2|v?ol) 

□ 

Case  (let{z  u}Co):  Let  C\  =  Cq{z/v}  then  by  computation  and  induction 
hypothesis 

let{x  Sr’o } let {x:  -e  u}C0[x]  S£  iet{x  v?o}Ci[xl  =  Ci[y>0J  =  let{z  -f-  v}C0[v>ol 
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where  the  freeness  condition  is  used  in  the  first  and  third  steps  (let  conversions) 

□ 

Case  (note(c)Co):  by  computation  and  induction  hypothesis 

c(let{x  v?0}note(c)Co[xl)  2  (c  o  appc(Ax.note(c)C0[x]|))(v?o) 
c(note(c)CoM)  =  c(C0M)  =  c(let{x  +  y>o}C0|[x]) 

=  (coappc(Ax.CoIx]))(v?0) 
co  appc(Ax.note(c)C0[xl)(x)  =  c(note(c)C0[x]|) 

—  c(C0[xJ)  =  co  appc(Ax.C0[x])(x) 

hence  by  (c.ext,  o.ext)  we  are  done.  □ 

The  cases  [Co,9?i],  [r,Ci],  if  (Co,  <£>1,^2),  fst(Co),  rst(Co),  axe  similar  to 

the  case  Co(^i)- 

^letx 

Proof  (escx):  Let  c  range  over  continuations  and  assume  Freeslc,  w0|ntrap(C)  = 

0.  Choose  x  fresh  then 

C[c(v?o)l  =  let{x  -*•  c(</?0)}C|xJ  =  c(</?0) 
by  (letx)  and  (esc.arg).  Descx 

Proof  (let.dist):  Assume  FVee.s[x,</?o]  fl  trap(C)  =  0  and  x  is  not  free  in  C. 
Then 

C[let{x  +  <A)M1  =  C[(Ax.yO(v>0)l 

—  Iet{x  ■+■  }C|(Ax.<j?)(x )J  ;;  (letx) 

=  let{x 9o}C[(^|  ;;  (letv) 

Dlet.dist 

Proof  (if.dist):  Assume  Freest 0)  H  irap(C)  =  0.  We  will  prove 

Sifteo.CIv^Cfol) 

by  induction  on  the  number  of  trapped  variables  in  C.  First  we  note  that  (by 
induction  on  construction  of  C)  either  C  has  no  trapped  variables  (is  a  pure 
evaluation  context)  or  we  can  find  C0,Ci  such  that  trap(C0)  =  0  and  such  that 
C  —  Co[let{x  u}Ci]  or  C  =  Co|[note(c)Ci] 
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Case  (pure):  Choose  x  fresh  then 

C[if(y> =  let{x  -t-if^o^i*  V*2)}C|x]  ;;  letx 

=  if(^0,let{x-(-(^i}C[xl,let{a:-e(lp2}C’Ixl)  ;;  if.arg 

=  i%0,  OJc^il,  CM)  ;;  letx 

Case  (note): 

=  C0[note(c)Ci[if(v?o,^i,V?2)ll 
=  Co[note(c)if(<^o>  Ci[v?i],  Ci[v?2])l  ;?  induction  hypothesis 

=  CoIif(v?o,  note(c)CiM>  note(c)CiM)!  ;;  (note.if) 

=  i%o,CM,CM)  ;;  pure  case 

□ 

Case  (let): 

£[•%><>,  <Pi,V>2)J  =  CoIlet{x-eu}Ci[if(v?0,  V?i,  V?2)U 

—  Co[let{x  -<-u}if(9o,  Ci[v?il,  Ci[v?2]|)]  ;;  induction  hypothesis 

—  C0[if(y>oi  let{x  v}Ci[v?iJ,let{x  t>}Ci|v?2J)J 
;;  (letv)  twice  using  x  not  free  ipo 

=  if  (90,  CM,  CM)  »  Pure  case 

□ 

Etf.dist 

Proof  (note.dist):  Assume  c  is  not  in  FrtesC  U  trap(C).  We  prove 

C[note(c)(/?J  =  note(c)let{c-<-co  Ax.C[x|}C|<^] 

by  induction  on  number  of  trapped  variables 
Case  (pure): 

C[note(cVJ 

—  Iet{x  note(c)<£>}C[xJ  ;;  (letx)  choosing  x  fresh 

=  note(c)let{c-s-co  Ax.C[xJ}(CM  ;;  (note.let),(letx) 


i 
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□pure 

Case  (note): 

C|note(c)(lp]  =  Cofnote(fc)Ci[note(c)<^]]  ;;  since  Co  is  pure 

Co|note(fc)note(c)let{c  +  co  Ax.Ci  JxJJCi^JJ  ;;  induction 

=  Co[[note(c)note(fc)let{c  k  o  Ax.Cri[xJ}Cx[y?]||  ;;  note.ren 

-  Co[note(c)note(A:)let{c  k  o  Ax.note(^)Cifxl}C1[^Jl  ;;  note.esc 

-  C'olnote(c)note(fc)let{c^co  Ax.noteCA)^^!}^^!!  ;;  note.ren 

a  Co[note(c)let{c  +  co  A*.note(fc)Ci[x]}note(fc)Ci[9jJ  B  (letv)  twice 
=  note(c)let{c-eco  Ax.CoffxJ) 

;fP°l!?kst C  °  XxMOt<k)ci  M}note(fc)Ci  M 

~  note(c)let{c  +  co  Ax. Co fxj  o  Ax.note(A:)C1Ixl}CoInote(it)C1[^|] 

;;  (letv) 

=  note(c)let{c  *fco  Ax.C|[x]]}C[<£j  ;;  (letx) 

□ 

Case  (let): 

C|[note(cVJ  =  Co[let{y-(-t;}Ci[note(cVJl 

=  Co[let{y-*-r}note(c)let{c-<-co  Cl}Ci|(£>J]  ;;  induction  hypothesis 

-  Cofnote(c)let{c  +  co  Ax.let{y -e f  }Ci[xJ}let{y u}Ci [^JJ 

;;  (letv) 

=  note(c)let{c  +  co  Ax.CoJxJ} 

;;  pute  c£ollet{c  -e  c  o  Ax.let{v  +  ®}C.  W}l.t{v  -e  v}Cl [„]] 

“  note(c)let{c  +  eo  Ax.CoIx]  o  Ax.letjy  +  v}Ci{xJ}C4let{s,  +  »}C,M| 

;;  (let.dist) 

-  note(c)let{c  +  c  o  \x.C[x\}C[<p\  ;;  (letx) 

□ 

anote.dist 
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10.4.  Representation  of  Computation 

We  define  a  syntactic  representation  5  of  dtrees,  values,  continuations,  and 
states  and  show  that  computations  can  be  simulated  by  chains  of  operational 
equivalences  using  the  computation  and  data  laws.  Let  f©  be  the  environment 
mapping  constants  to  the  corresponding  data  and  data  operations.  We  assume 
that  each  data  element  d  is  the  value  of  a  closed  data  form  and  let  5(d )  be  some 
such  form.  Then  5  is  extended  to  the  remaining  semantic  entities  as  follows 

S([au. . .  ,a„])  =  [<S(ai), . . .  ,5(a„)] 

S(0(*)  =  $(«*)) 

S((<p  :  0)  =  SiWv) 

5(top)  =  top 

5(7  o  (appi(yj)  :  £))5(7)  0  appi(5((y>  :  £)) 


5(7v*)  =  app(5(7),5(*)) 

S(7  a  v)  =  app(5(7),5(t;)) 

where  5(£)(y?)  denotes  the  natural  extension  of  a  map  from  variables  to  forms  to 
a  map  from  forms  to  forms  —  i.e.  substitution  for  free  occurrences  of  variable 
symbols. 

Theorem  (synrep): 

■  (i)  (5(x)  :  £d)  =  x  f°r  X  a  dtree,  continuation  or  value. 

»(ii)  If  Co  > — ►  Ci  then  5(Co)  —  5(Ci)  is  provable  from  the  computation  and  data 
laws. 

Proof  (synrep.i):  By  induction  on  the  structure  of  dtrees,  continuations,  and 
values.  i 

Case  (data):  (5(d)  :  £d)  =  d  by  definition  of  5(d). 

Case  (cart):  ^ 

(5([ai,...,an])  :  £d)  =  ([5(ai),...,5(a„)]  :  £©)  SS  [ai,...,an] 


since  by  the  induction  hypothesis  (5(ai)  :  £©)  =  a,-. 
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Case  (dtree,pfn):  If  X  —  (v  '  £)  and  x\, . . . ,  xn  are  the  variables  in  the  domain 
of  £  then 

(S(X)  :  &>)  =  (S(0(<f)  :  6d) 

-  (,et{xi  *+  S(f(*i ))}•••  let{x„n  -e  5(f(*„))}y>  :  &>)  ;;  by  (letv) 

)  =  (v5  :  0  >;  by  induction  hypothesis  and  computation 

Case  (continuation):  If  7  =  7o  o  (appi(p)  :  £)  then 

1  {^(7)  :  6d)  =  (£(7o)  0  5(0(appi(^))  :  Go)  =  7 

since  by  induction  hypothesis  (S(7o)  :  &>)  =  7o  and  ($(£)(appi(p))  :  &>)  S 

(appi(¥>)  :  0-  °i  '  "  ' 

Proof  (synrep.ii):  It  suffices  to  consider  single  steps  (0  >— *t  ft  and  cases 

according  to  the  rule  apphed  (as  given  in  Figure  5).  In  the  cases  sym,  lam,  mt, 
and  top  we  have  <S(Co)  and  <S(ft)  are  identical.  The  cases  app,  appi,  if,  cart,  carti, 
fst,  and  rst  follow  directly  from  the  corresponding  computation  laws.  For  the  cases 
o,  appc,  and  sw  we  use  the  app,  and  appi  laws  in  reverse  to  obtain 

(S( 7)  0  appC(5(i?)))(«S(r))  Si  S(7)(S(0)(S(v))) 

Then  we  use  the  data  laws,  the  letv  law,  or  the  sw  law  according  to  the  sort  of 
d-  For  the  cartc>  fstc,  and  rstc  cases  we  run  the  computation  rules  backwards  as 
for  the  appc  case  and  then  use  the  sequence  rules.  For  the  ifi  case  we  use  the  ifi 
laws  and  the  fact  that  any  closed  value  form  can  be  put  in  a  ‘canonical  form  using 
the  sequence  rules,  thus  emptiness  is  decidable  for  such  forms  within  the  theory. 
Finally  the  note  case  follows  from  the  note  law.  Djj 

10.5.  Relation  to  standard  definition  of  operational  relations 

The  standard  definition  of  operational  equivalence  is  trivial  equivalence  in 
all  closing  contexts.  More  precisely,  for  fixed  2),  we  define  standard  operational 
approximation  C5  by  ip0  <^1  just  if 

top  v  (C[v?ol  :  Go)  C0  top  v  (Cfy?iJ  :  fo) 

for  all  contexts  C  (forms  with  holes  in  arbitrary  positions)  such  that  Cfool,  Cfr  J 
are  closed  (contain  only  data  or  data  operation  constants  as  free  symbols). 

Theorem  (standard):  po  C  <pi  ip0  <fi 

Proof  (standard):  The  onlyif  direction  follows  from  the  fact  that  C  is  a 

congruence  on  forms.  For  the  if  direction  we  use  the  fact  that  for  any  continuation 
7  and  environment  f  (extending  £d)  there  is  a  context  C  such  that 

top  v  CM  ’  6d  >— ►  7  v  {<p  :  0 
for  any  form  <p  closed  by  ft  □ 


